On 31/10/11 10:37 +0100, bea chataigne wrote:
Hello, On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23. I create a sasldb syncuser user, in my slapd.d configuration I add: OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr " I give the right of reading has the utisilsateur ldap on sasldb. PB during a ldapsearch: # ldapsearch -Y DIGEST-MD5-U syncuser -h localhost ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional information: SASL ( 13 ): user not found: no secret in database
Which version of OpenLDAP are you using? As of version 2.4.17, the default auxprop plugin is now the internal 'slapd' plugin, which will internally retrieve the user's password from their authz-regexp mapped entry. To use the sasldb plugin, you need to configure sasl-auxprops/olcSaslAuxprops. See slapd.conf(5) or slapd-config(5) depending on which configuration scheme you're using.
Slapd in debug mode sends back to me: slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5 slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing> datalen=277 slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2 slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser" slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8] slapd[2608]: slap_sasl_getdn: u:id converted to uid=syncuser,cn=DIGEST-MD5,cn=auth slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth> slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth> slapd[2608]: ==>slap_sasl2dn: converting SASL name uid=syncuser,cn=digest-md5,cn=auth to a DN slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" -> "cn=syncuser,dc=xxx,dc=fr" slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr> slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr> slapd[2608]: <==slap_sasl2dn: Converted SASL name to cn=syncuser,dc=xxx,dc=fr slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr slapd[2608]: SASL Canonicalize [conn=1002]: slapAuthcDN="cn=syncuser,dc=xxx,dc=fr" slapd[2608]: => hdb_search slapd[2608]: daemon: activity on 1 descriptor slapd[2608]: daemon: activity on: slapd[2608]: slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr") slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr") slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry" requested slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1 slapd[2608]: => acl_get: [12] attr entry slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry" requested slapd[2608]: => acl_mask: to all values by "", (=0) slapd[2608]: <= check a_dn_pat: * slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop) slapd[2608]: <= acl_mask: [2] mask: read(=rscxd) slapd[2608]: => slap_access_allowed: disclose access granted by read(=rscxd) slapd[2608]: => access_allowed: disclose access granted by read(=rscxd) slapd[2608]: send_ldap_result: conn=1002 op=1 p=3 slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text="" slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser" slapd[2608]: SASL [conn=1002] Failure: no secret in database slapd[2608]: send_ldap_result: conn=1002 op=1 p=3 slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: no secret in database" slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49 slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database slapd[2608]: <== slap_sasl_bind: rc=49 slapd[2608]: daemon: activity on 1 descriptor slapd[2608]: daemon: activity on: slapd[2608]: 31r Thank you for your suggestions. B chataigne
-- Dan White