* Howard Chu <hyc@xxxxxxxxxxxxxxx>: > Patrick Ben Koetter wrote: > >This mail expands on a mail I had sent to cyrus-sasl@xxxxxxxxxxxxxxxxxxxx a > >few days ago. I spent the last days testing this and I believe I have > >found a > >bug. > > The likelihood that a bug is in the ldapdb code is about zero. Agreed. That's why I wrote "possible". > >Version: Cyrus SASL 2.1.22 > >OS: CentOS (also tested and verified on Ubuntu and OpenSuse) > >Descrition: Entries that successfully can be authenticated using the > > ldapwhoami command can only partially be authenticated using > > the > > Cyrus SASL ldapdb-plugin. > > >Steps to reproduce: > >(All files are available for download at > ><http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>) > > Since you've gone to the trouble of packaging this up, you should also have > included an extract from the slapd debug log taken from running the sample- > authentication. Right. My fault. I've created a completely new package and put it at http://www.state-of-mind.de/bugreport_2_cyrus-sasl-2.1.22.tgz. It contains log from "loglevel ACL traces". > >1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz. > >2. Use ldapwhoami to verify authentication: > > > > [root@netinstall ldap]# ldapwhoami -U a -w a > > SASL/DIGEST-MD5 authentication started > > SASL username: a > > SASL SSF: 128 > > SASL installing layers > > dn:uid=a,ou=people,dc=example,dc=com > > Result: Success (0) > > > > [root@netinstall ldap]# ldapwhoami -U b -w b > > SASL/DIGEST-MD5 authentication started > > SASL username: b > > SASL SSF: 128 > > SASL installing layers > > dn:uid=b,ou=people,dc=example,dc=com > > Result: Success (0) > > Neither of these commands reflects what the ldapdb plugin does. To test > that you first need to test e.g. > ldapwhoami -U proxyuser -X a [root@netinstall ~]# ldapwhoami -U proxyuser -X a SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: unable authorization ID So it seems that the proxyuser has "Insufficient access". I've followed the traces of authentication in the log and see that it fails, but I can't tell why. If I do interpret the log correctly the authz-regexp mapping works and maps proxyuser to the correct dn. Permission is given to read the uid and userPassword, but then it fails. This is where I am lost. (On a sidenote I wonder: If proxyuser fails, how come the ldapdb plugin would work for one entry and not the other?) p@rick P.S: Seems this is more an OpenLDAP topic than a Cyrus SASL topic. If you want me to I can open a new thread on openldap. -- The Book of Postfix <http://www.postfix-book.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
