On 4/22/06, Dan Nicholson <dbn.lists@xxxxxxxxx> wrote:
>
> Patrick, I'm going to assume that I have the same setup as you since I
> took mine entirely from the Book of Postfix. I was having the same
> problems with openldap-2.3.x, but I think I've solved the problem.
> The big thing was getting the regexp in /etc/openldap/slapd.conf to
> work correctly. Now, ldapwhoami checks out as well as ldapdb
> authorization through the cyrus-sasl client/server utilities.
I lied. That worked when I only had one user under ou=people. Now I
have two, and one authenticates and one doesn't. I'm baffled. Here's
some output trying to authenticate through ldapwhoami with the
troublesome user.
$ ldapwhoami -Y DIGEST-MD5 -U proxy -X u:dan
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized
And debugging output from slapd. What I don't understand is that it's
failing when trying to read attributes of the user I'm not trying to
authorize as, uid=ange. In reverse, when using -X u:ange in
ldapwhoami, it can read the attributes of uid=dan.
=> access_allowed: auth access to "uid=ange,ou=people,dc=dwcab,dc=com"
"objectClass" requested
=> dn: [1] dc=dwcab,dc=com
=> acl_get: [1] matched
=> dn: [2] dc=dwcab,dc=com
=> acl_get: [2] matched
=> dn: [3] dc=dwcab,dc=com
=> acl_get: [3] matched
=> dn: [4] dc=dwcab,dc=com
=> acl_get: [4] matched
=> acl_get: [5] attr objectClass
=> acl_mask: access to entry "uid=ange,ou=people,dc=dwcab,dc=com",
attr "objectClass" requested
=> acl_mask: to value by "uid=proxy,ou=auth,dc=dwcab,dc=com", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: auth access granted by read(=rscxd)
<= test_filter 6
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=0 matched="" text=""
<===slap_sasl_match: comparison returned 48
<==slap_sasl_check_authz: authzTo check returning 48
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=0]: proxy authorization disallowed (48)
SASL [conn=0] Failure: not authorized
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not
authorized"
Thanks in advance for anyone that can help.
--
Dan
