On 31/10/11 10:37 +0100, bea chataigne wrote:
Hello,
On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23.
I create a sasldb syncuser user,
in my slapd.d configuration I add:
OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser,
dc=xxx, dc=fr "
I give the right of reading has the utisilsateur ldap on sasldb.
PB during a ldapsearch:
# ldapsearch -Y DIGEST-MD5-U syncuser -h localhost
ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional
information: SASL ( 13 ): user not found: no secret in database
Which version of OpenLDAP are you using?
As of version 2.4.17, the default auxprop plugin is now the internal
'slapd' plugin, which will internally retrieve the user's password from
their authz-regexp mapped entry. To use the sasldb plugin, you need to
configure sasl-auxprops/olcSaslAuxprops. See slapd.conf(5) or
slapd-config(5) depending on which configuration scheme you're using.
Slapd in debug mode sends back to me:
slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5
slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing>
datalen=277
slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2
slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser"
slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8]
slapd[2608]: slap_sasl_getdn: u:id converted to
uid=syncuser,cn=DIGEST-MD5,cn=auth
slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth>
slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth>
slapd[2608]: ==>slap_sasl2dn: converting SASL name
uid=syncuser,cn=digest-md5,cn=auth to a DN
slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" ->
"cn=syncuser,dc=xxx,dc=fr"
slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr
slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
slapd[2608]: <==slap_sasl2dn: Converted SASL name to
cn=syncuser,dc=xxx,dc=fr
slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr
slapd[2608]: SASL Canonicalize [conn=1002]:
slapAuthcDN="cn=syncuser,dc=xxx,dc=fr"
slapd[2608]: => hdb_search
slapd[2608]: daemon: activity on 1 descriptor
slapd[2608]: daemon: activity on:
slapd[2608]:
slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero
slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr")
slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr")
slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
pair found (-30988)
slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry"
requested
slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr
slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr
slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr
slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
slapd[2608]: => acl_get: [12] attr entry
slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry"
requested
slapd[2608]: => acl_mask: to all values by "", (=0)
slapd[2608]: <= check a_dn_pat: *
slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop)
slapd[2608]: <= acl_mask: [2] mask: read(=rscxd)
slapd[2608]: => slap_access_allowed: disclose access granted by
read(=rscxd)
slapd[2608]: => access_allowed: disclose access granted by read(=rscxd)
slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text=""
slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser"
slapd[2608]: SASL [conn=1002] Failure: no secret in database
slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user
not found: no secret in database"
slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49
slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not
found: no secret in database
slapd[2608]: <== slap_sasl_bind: rc=49
slapd[2608]: daemon: activity on 1 descriptor
slapd[2608]: daemon: activity on:
slapd[2608]: 31r
Thank you for your suggestions.
B chataigne
--
Dan White
