problem with digest-md5 and openldap

bea chataigne bchataigne at gmail.com
Mon Oct 31 05:37:21 EDT 2011 

Hello,

On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23.

I create a sasldb syncuser user,
 in my slapd.d configuration I add:
OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser,
dc=xxx, dc=fr "

I give the right of reading has the utisilsateur ldap on sasldb.

PB during a ldapsearch:

# ldapsearch -Y DIGEST-MD5-U syncuser -h localhost
ldap_sasl_interactive_bind_s: Invalid credentials ( 49 )      additional
information: SASL ( 13 ): user not found: no secret in database

Slapd in debug mode sends back  to me:

slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5
  slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing>
datalen=277
  slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2
  slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser"
  slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8]
  slapd[2608]: slap_sasl_getdn: u:id converted to
uid=syncuser,cn=DIGEST-MD5,cn=auth
  slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth>
  slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth>
  slapd[2608]: ==>slap_sasl2dn: converting SASL name
uid=syncuser,cn=digest-md5,cn=auth to a DN
  slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" ->
"cn=syncuser,dc=xxx,dc=fr"
  slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr
  slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
  slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
  slapd[2608]: <==slap_sasl2dn: Converted SASL name to
cn=syncuser,dc=xxx,dc=fr
  slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr
  slapd[2608]: SASL Canonicalize [conn=1002]:
slapAuthcDN="cn=syncuser,dc=xxx,dc=fr"
  slapd[2608]: => hdb_search
  slapd[2608]: daemon: activity on 1 descriptor
  slapd[2608]: daemon: activity on:
  slapd[2608]:
  slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero
  slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero
  slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero
  slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero
  slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr")
  slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr")
  slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
pair found (-30988)
  slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry"
requested
  slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
  slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
  slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr
  slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr
  slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr
  slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
  slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
  slapd[2608]: => acl_get: [12] attr entry
  slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry"
requested
  slapd[2608]: => acl_mask: to all values by "", (=0)
  slapd[2608]: <= check a_dn_pat: *
  slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop)
  slapd[2608]: <= acl_mask: [2] mask: read(=rscxd)
  slapd[2608]: => slap_access_allowed: disclose access granted by
read(=rscxd)
  slapd[2608]: => access_allowed: disclose access granted by read(=rscxd)
  slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
  slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text=""
  slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser"
  slapd[2608]: SASL [conn=1002] Failure: no secret in database
  slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
  slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user
not found: no secret in database"
  slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49
  slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not
found: no secret in database
  slapd[2608]: <== slap_sasl_bind: rc=49
  slapd[2608]: daemon: activity on 1 descriptor
  slapd[2608]: daemon: activity on:
  slapd[2608]:  31r

Thank you for your suggestions.
B chataigne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20111031/842c4c7c/attachment.html

More information about the Cyrus-sasl mailing list