problem with digest-md5 and openldap

Dan White dwhite at olp.net
Mon Oct 31 10:09:32 EDT 2011 

On 31/10/11 10:37 +0100, bea chataigne wrote:
>Hello,
>
>On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23.
>
>I create a sasldb syncuser user,
> in my slapd.d configuration I add:
>OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser,
>dc=xxx, dc=fr "
>
>I give the right of reading has the utisilsateur ldap on sasldb.
>
>PB during a ldapsearch:
>
># ldapsearch -Y DIGEST-MD5-U syncuser -h localhost
>ldap_sasl_interactive_bind_s: Invalid credentials ( 49 )      additional
>information: SASL ( 13 ): user not found: no secret in database

Which version of OpenLDAP are you using?

As of version 2.4.17, the default auxprop plugin is now the internal
'slapd' plugin, which will internally retrieve the user's password from
their authz-regexp mapped entry. To use the sasldb plugin, you need to
configure sasl-auxprops/olcSaslAuxprops. See slapd.conf(5) or
slapd-config(5) depending on which configuration scheme you're using.

>Slapd in debug mode sends back  to me:
>
>slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5
>  slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing>
>datalen=277
>  slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2
>  slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser"
>  slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8]
>  slapd[2608]: slap_sasl_getdn: u:id converted to
>uid=syncuser,cn=DIGEST-MD5,cn=auth
>  slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth>
>  slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth>
>  slapd[2608]: ==>slap_sasl2dn: converting SASL name
>uid=syncuser,cn=digest-md5,cn=auth to a DN
>  slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" ->
>"cn=syncuser,dc=xxx,dc=fr"
>  slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr
>  slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
>  slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
>  slapd[2608]: <==slap_sasl2dn: Converted SASL name to
>cn=syncuser,dc=xxx,dc=fr
>  slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr
>  slapd[2608]: SASL Canonicalize [conn=1002]:
>slapAuthcDN="cn=syncuser,dc=xxx,dc=fr"
>  slapd[2608]: => hdb_search
>  slapd[2608]: daemon: activity on 1 descriptor
>  slapd[2608]: daemon: activity on:
>  slapd[2608]:
>  slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero
>  slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero
>  slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero
>  slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero
>  slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr")
>  slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr")
>  slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
>pair found (-30988)
>  slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry"
>requested
>  slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
>  slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
>  slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr
>  slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr
>  slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr
>  slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
>  slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
>  slapd[2608]: => acl_get: [12] attr entry
>  slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry"
>requested
>  slapd[2608]: => acl_mask: to all values by "", (=0)
>  slapd[2608]: <= check a_dn_pat: *
>  slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop)
>  slapd[2608]: <= acl_mask: [2] mask: read(=rscxd)
>  slapd[2608]: => slap_access_allowed: disclose access granted by
>read(=rscxd)
>  slapd[2608]: => access_allowed: disclose access granted by read(=rscxd)
>  slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
>  slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text=""
>  slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser"
>  slapd[2608]: SASL [conn=1002] Failure: no secret in database
>  slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
>  slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user
>not found: no secret in database"
>  slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49
>  slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not
>found: no secret in database
>  slapd[2608]: <== slap_sasl_bind: rc=49
>  slapd[2608]: daemon: activity on 1 descriptor
>  slapd[2608]: daemon: activity on:
>  slapd[2608]:  31r
>
>Thank you for your suggestions.
>B chataigne

-- 
Dan White

More information about the Cyrus-sasl mailing list