SOLVED: Re: POSSIBLE BUG: Cyrus SASL 2.1.22: ldapdb
Patrick Ben Koetter
p at state-of-mind.de
Mon Aug 20 11:34:32 EDT 2007
As you've expected it was an error on my side.
However I've done a few changes and for history I can't say what brought the
change. Thanks for the attention to my problem.
p at rick
* Patrick Ben Koetter <p at state-of-mind.de>:
> * Howard Chu <hyc at highlandsun.com>:
> > Patrick Ben Koetter wrote:
> > >This mail expands on a mail I had sent to cyrus-sasl at lists.andrew.cmu.edu a
> > >few days ago. I spent the last days testing this and I believe I have
> > >found a
> > >bug.
> >
> > The likelihood that a bug is in the ldapdb code is about zero.
>
> Agreed. That's why I wrote "possible".
>
>
> > >Version: Cyrus SASL 2.1.22
> > >OS: CentOS (also tested and verified on Ubuntu and OpenSuse)
> > >Descrition: Entries that successfully can be authenticated using the
> > > ldapwhoami command can only partially be authenticated using
> > > the
> > > Cyrus SASL ldapdb-plugin.
> >
> > >Steps to reproduce:
> > >(All files are available for download at
> > ><http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>)
> >
> > Since you've gone to the trouble of packaging this up, you should also have
> > included an extract from the slapd debug log taken from running the sample-
> > authentication.
>
>
> Right. My fault. I've created a completely new package and put it at
> http://www.state-of-mind.de/bugreport_2_cyrus-sasl-2.1.22.tgz.
>
> It contains log from "loglevel ACL traces".
>
>
> > >1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz.
> > >2. Use ldapwhoami to verify authentication:
> > >
> > > [root at netinstall ldap]# ldapwhoami -U a -w a
> > > SASL/DIGEST-MD5 authentication started
> > > SASL username: a
> > > SASL SSF: 128
> > > SASL installing layers
> > > dn:uid=a,ou=people,dc=example,dc=com
> > > Result: Success (0)
> > >
> > > [root at netinstall ldap]# ldapwhoami -U b -w b
> > > SASL/DIGEST-MD5 authentication started
> > > SASL username: b
> > > SASL SSF: 128
> > > SASL installing layers
> > > dn:uid=b,ou=people,dc=example,dc=com
> > > Result: Success (0)
> >
> > Neither of these commands reflects what the ldapdb plugin does. To test
> > that you first need to test e.g.
> > ldapwhoami -U proxyuser -X a
>
> [root at netinstall ~]# ldapwhoami -U proxyuser -X a
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
> additional info: SASL(-14): authorization failure: unable authorization ID
>
>
> So it seems that the proxyuser has "Insufficient access". I've followed the
> traces of authentication in the log and see that it fails, but I can't tell
> why.
>
> If I do interpret the log correctly the authz-regexp mapping works and maps
> proxyuser to the correct dn. Permission is given to read the uid and
> userPassword, but then it fails. This is where I am lost.
>
> (On a sidenote I wonder: If proxyuser fails, how come the ldapdb plugin would
> work for one entry and not the other?)
>
> p at rick
>
> P.S: Seems this is more an OpenLDAP topic than a Cyrus SASL topic. If you want
> me to I can open a new thread on openldap.
>
> --
> The Book of Postfix
> <http://www.postfix-book.com>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
More information about the Cyrus-sasl
mailing list