problems sasl not create database sasl.db

Dan White dwhite at olp.net
Tue Sep 7 17:51:33 EDT 2010 

On 07/09/10 16:59 -0400, spiderslack wrote:
>>That's an unusual location for the sasldb file. Did you compile sasl? If
>>so, which options did you pass to configure, and which version are you
>>using?
>
>I compiled the sasl'm using mandriva and installed the package via urpmi.
>
>But I found that the package does not provide support for mandriva 
>sasldb as the command below.
>
>[root at localhost ~]# saslauthd -v
>saslauthd 2.1.23
>authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

saslauthd is not the preferred interface to sasldb, and in fact is disabled
by default. You'd have to recompile saslauthd to get it.

The preferred method is to specify 'pwcheck_method: auxprop', and
'auxprop_plugin: sasldb' within your application SASL config file.

>changed the variable SASL_AUTHMECH for "ldap in file 
>/etc/sysconfig/saslauthd.

Are you abandoning sasldb?

>After that I tried to access via testsaslauth and ran track but 
>ldapsearch command does not work. Below the configuration files and 
>command output sasl.
>
>Any idea where I might be wrong. I thank you
>
>
>cat /etc/saslauthd.conf
>ldap_servers: ldap://127.0.0.1
>ldap_port: 389
>ldap_version: 3
>ldap_referrals: no
>ldap_search_base: dc=exemplo,dc=com,dc=br
>ldap_auth_method: bind
>
>
>[root at localhost ~]# testsaslauthd -u user -p 123456
>0: OK "Success."
>[root at localhost ~]#
>
>
>[root at localhost ~]# ldapsearch -LLL -Y DIGEST-MD5 -U user cn=benjamin cn
>SASL/DIGEST-MD5 authentication started
>Please enter your password:
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>    additional info: SASL(-13): user not found: no secret in database
>[root at localhost ~]#

You're doing two different things there.

saslauthd, with your configuration, is doing, roughly:

ldapsearch -x -b "dc=exemplo,dc=com,dc=br" -H "ldap://127.0.0.1" uid=user dn
   (anonymous bind)
and given the $dn that is returned:
ldapwhoami -x -b "dc=exemplo,dc=com,dc=br" -H "ldap://127.0.0.1" \
   -D "$dn" -w 123456

and returning success if the bind was successful.

If you wish to perform a DIGEST-MD5 SASL bind (and assuming it's an
OpenLDAP server), you should read chapter 15 of the OpenLDAP
Administrator's Guide. You'll most likely need to configure one or more
'authz-regexp' mappings, and you'll need to verify that your passwords are
stored in plaintext within LDAP.

-- 
Dan White

More information about the Cyrus-sasl mailing list