proxy auth в ldap'е +SASL

Peter Teslenko Mon, 25 Dec 2006 02:25:32 -0800

Привет, коллеги.

Пытаюсь реализовать proxy auth в ldap'е
Авторизовывать юзеров хочу по атрибуту mail


Имеем в ldap'е

dn: uid=peter,ou=it,ou=people,dc=mcbfa,dc=local
uid: peter
givenName: Peter
sn: Teslenko
cn: Peter Teslenko
userPassword: mega_pass
homeDirectory: /var/spool/Maildir/peter
mail: [EMAIL PROTECTED]
maildrop: [EMAIL PROTECTED]
maildrop: [EMAIL PROTECTED]
maildrop: [EMAIL PROTECTED]
maildrop: [EMAIL PROTECTED]
maildrop: [EMAIL PROTECTED]
objectClass: CourierMailAlias
objectClass: CourierMailAccount
objectClass: inetOrgPerson
objectClass: qmailUser
creatorsName: cn=admin,dc=mcbfa,dc=local
createTimestamp: 20061223211316Z
uidNumber: 1001
gidNumber: 125
mailbox: /var/spool/Maildir/peter/Maildir
quota: 5120000S
modifiersName: cn=admin,dc=mcbfa,dc=local
modifyTimestamp: 20061223231316Z
subschemaSubentry: cn=Subschema
accountStatus: active

dn: uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local
uid: saslauthzproxy
givenName: SASLAuthzProxy
sn: SASLAuthzProxy
cn: SASLAuthzProxy
userPassword: proxy_pass
#objectClass: top
#objectClass: account
objectClass: simpleSecurityObject
objectClass: inetOrgPerson
#ou: SASL
saslAuthzTo: 
ldap:///ou=people,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)
saslAuthzTo: 
ldap:///ou=it,ou=people,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)
saslAuthzTo: 
ldap:///ou=daemons,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)
mail: saslauthzproxy


/etc/ldap/slapd.conf

sasl-authz-policy       to
sasl-regexp
        uid=(.*),cn=(.*),cn=auth
        ldap:///dc=mcbfa,dc=local??sub?(&(objectclass=inetOrgPerson)(mail=$1))

/usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop
auxprop_plugin: slapd
ldapdb_uri: ldap://sandbox.mcbfa.local
ldapdb_id: admin
ldapdb_pw: admin_pass
ldapdb_mech: digest-md5
mech_list: DIGEST-MD5


/etc/postfix/sasl/smtpd.conf
# Global parameters
log_level: 7
pwcheck_method: auxprop
#mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
mech_list: DIGEST-MD5

# Aux plugin params
auxprop_plugin: ldapdb
ldapdb_uri: ldap://sandbox.mcbfa.local
ldapdb_id: saslauthzproxy
ldapdb_pw: proxy_secret
ldapdb_mech: DIGEST-MD5
ldapdb_starttls: demand


Каждый юзер со своим паролем авторизацию проходит

[EMAIL PROTECTED]:/home/peter# ldapwhoami -U [EMAIL PROTECTED] -Y DIGEST-MD5  
-H ldap://localhost
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: [EMAIL PROTECTED]
SASL SSF: 128
SASL installing layers
dn:uid=peter,ou=it,ou=people,dc=mcbfa,dc=local
Result: Success (0)

[EMAIL PROTECTED]:/home/peter# ldapwhoami -U saslauthzproxy -Y DIGEST-MD5  -H 
ldap://localhost
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: saslauthzproxy
SASL SSF: 128
SASL installing layers
dn:uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local
Result: Success (0)

А вот если пытаться через проксю - облом

[EMAIL PROTECTED]:/home/peter# ldapwhoami -U saslauthzproxy -Y DIGEST-MD5 -X 
u:[EMAIL PROTECTED] -H ldap://localhost
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
        additional info: SASL(-14): authorization failure: not authorized

В логе.

Dec 25 13:21:47 localhost slapd[1118]: >>> slap_listener(ldap:///)
Dec 25 13:21:47 localhost slapd[1118]: connection_get(11)
Dec 25 13:21:47 localhost slapd[1118]: connection_get(11): got connid=8
Dec 25 13:21:47 localhost slapd[1118]: connection_read(11): checking for input 
on id=8
Dec 25 13:21:47 localhost slapd[1118]: ber_get_next on fd 11 failed errno=11 
(Resource temporarily unavailable)
Dec 25 13:21:47 localhost slapd[1118]: do_bind
Dec 25 13:21:47 localhost slapd[1118]: >>> dnPrettyNormal: <>
Dec 25 13:21:47 localhost slapd[1118]: <<< dnPrettyNormal: <>, <>
Dec 25 13:21:47 localhost slapd[1118]: do_sasl_bind: dn () mech DIGEST-MD5
Dec 25 13:21:47 localhost slapd[1118]: ==> sasl_bind: dn="" mech=DIGEST-MD5 
datalen=0
Dec 25 13:21:47 localhost slapd[1118]: SASL [conn=8] Debug: DIGEST-MD5 server 
step 1
Dec 25 13:21:47 localhost slapd[1118]: send_ldap_sasl: err=14 len=194
Dec 25 13:21:47 localhost slapd[1118]: send_ldap_response: msgid=1 tag=97 err=14
Dec 25 13:21:47 localhost slapd[1118]: <== slap_sasl_bind: rc=14
Dec 25 13:21:54 localhost slapd[1118]: connection_get(11)
Dec 25 13:21:54 localhost slapd[1118]: connection_get(11): got connid=8
Dec 25 13:21:54 localhost slapd[1118]: connection_read(11): checking for input 
on id=8
Dec 25 13:21:54 localhost slapd[1118]: ber_get_next on fd 11 failed errno=11 
(Resource temporarily unavailable)
Dec 25 13:21:54 localhost slapd[1118]: do_bind
Dec 25 13:21:54 localhost slapd[1118]: >>> dnPrettyNormal: <>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnPrettyNormal: <>, <>
Dec 25 13:21:54 localhost slapd[1118]: do_sasl_bind: dn () mech DIGEST-MD5
Dec 25 13:21:54 localhost slapd[1118]: ==> sasl_bind: dn="" mech=<continuing> 
datalen=332
Dec 25 13:21:54 localhost slapd[1118]: SASL [conn=8] Debug: DIGEST-MD5 server 
step 2
Dec 25 13:21:54 localhost slapd[1118]: SASL Canonicalize [conn=8]: 
authcid="saslauthzproxy"
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_getdn: conn 8 
id=saslauthzproxy [len=14]
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_getdn: u:id converted to 
uid=saslauthzproxy,cn=DIGEST-MD5,cn=auth
Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: 
<uid=saslauthzproxy,cn=DIGEST-MD5,cn=auth>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: 
<uid=saslauthzproxy,cn=digest-md5,cn=auth>
Dec 25 13:21:54 localhost slapd[1118]: ==>slap_sasl2dn: converting SASL name 
uid=saslauthzproxy,cn=digest-md5,cn=auth to a DN
Dec 25 13:21:54 localhost slapd[1118]: slap_authz_regexp: converting SASL name 
uid=saslauthzproxy,cn=digest-md5,cn=auth

Dec 25 13:21:54 localhost slapd[1118]: slap_authz_regexp: converted SASL name toldap:///dc=mcbfa,dc=local??sub?(&(objectclass=inetOrgPerson)(mail=saslauthzproxy))Dec 25 13:21:54 localhost slapd[1118]: slap_parseURI: parsingldap:///dc=mcbfa,dc=local??sub?(&(objectclass=inetOrgPerson)(mail=saslauthzproxy))

Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: <dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: <dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl2dn: performing internal search 
(base=dc=mcbfa,dc=local, scope=2)
Dec 25 13:21:54 localhost slapd[1118]: => bdb_search
Dec 25 13:21:54 localhost slapd[1118]: bdb_dn2entry("dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: search_candidates: 
base="dc=mcbfa,dc=local" (0x00000001) scope=2
Dec 25 13:21:54 localhost slapd[1118]: => bdb_dn2idl("dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [b49d1940]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read: failed (-30990)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [860433ad]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read 3 candidates
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=3, 
first=5, last=11
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (mail)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: (mail) 
index_param failed (18)
Dec 25 13:21:54 localhost slapd[1118]: bdb_search_candidates: id=3 first=5 
last=11
Dec 25 13:21:54 localhost slapd[1118]: bdb_search: 5 does not match filter
Dec 25 13:21:54 localhost slapd[1118]: bdb_search: 6 does not match filter
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=0 matched="" 
text=""
Dec 25 13:21:54 localhost slapd[1118]: <==slap_sasl2dn: Converted SASL name to 
uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_getdn: dn:id converted to 
uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local
Dec 25 13:21:54 localhost slapd[1118]: SASL Canonicalize [conn=8]: 
slapAuthcDN="uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local"
Dec 25 13:21:54 localhost slapd[1118]: => bdb_search
Dec 25 13:21:54 localhost slapd[1118]: 
bdb_dn2entry("uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: base_candidates: base: 
"uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local" (0x0000000b)
Dec 25 13:21:54 localhost slapd[1118]: slap_ap_lookup: 
str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=0 matched="" 
text=""
Dec 25 13:21:54 localhost slapd[1118]: SASL Canonicalize [conn=8]: authzid="u:[EMAIL 
PROTECTED]"
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_getdn: conn 8 id=u:[EMAIL 
PROTECTED] [len=27]
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_getdn: u:id converted to 
[EMAIL PROTECTED],cn=DIGEST-MD5,cn=auth
Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: <[EMAIL 
PROTECTED],cn=DIGEST-MD5,cn=auth>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: <[EMAIL 
PROTECTED],cn=digest-md5,cn=auth>

Dec 25 13:21:54 localhost slapd[1118]: ==>slap_sasl2dn: converting SASL name [EMAIL PROTECTED],cn=digest-md5,cn=authto a DN

Dec 25 13:21:54 localhost slapd[1118]: slap_authz_regexp: converting SASL name 
[EMAIL PROTECTED],cn=digest-md5,cn=auth

Dec 25 13:21:54 localhost slapd[1118]: slap_authz_regexp: converted SASL name toldap:///dc=mcbfa,dc=local??sub?(&(objectclass=inetOrgPerson)([EMAIL PROTECTED]))Dec 25 13:21:54 localhost slapd[1118]: slap_parseURI: parsingldap:///dc=mcbfa,dc=local??sub?(&(objectclass=inetOrgPerson)([EMAIL PROTECTED]))

Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: <dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: <dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl2dn: performing internal search 
(base=dc=mcbfa,dc=local, scope=2)
Dec 25 13:21:54 localhost slapd[1118]: => bdb_search
Dec 25 13:21:54 localhost slapd[1118]: bdb_dn2entry("dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: search_candidates: 
base="dc=mcbfa,dc=local" (0x00000001) scope=2
Dec 25 13:21:54 localhost slapd[1118]: => bdb_dn2idl("dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [b49d1940]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read: failed (-30990)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [860433ad]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read 3 candidates
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=3, 
first=5, last=11
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (mail)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: (mail) 
index_param failed (18)
Dec 25 13:21:54 localhost slapd[1118]: bdb_search_candidates: id=3 first=5 
last=11
Dec 25 13:21:54 localhost slapd[1118]: bdb_search: 5 does not match filter
Dec 25 13:21:54 localhost slapd[1118]: bdb_search: 6 does not match filter
Dec 25 13:21:54 localhost slapd[1118]: bdb_search: 11 does not match filter
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=0 matched="" 
text=""
Dec 25 13:21:54 localhost slapd[1118]: <==slap_sasl2dn: Converted SASL name to 
<nothing>
Dec 25 13:21:54 localhost slapd[1118]: SASL Canonicalize [conn=8]: 
slapAuthzDN="[EMAIL PROTECTED],cn=digest-md5,cn=auth"
Dec 25 13:21:54 localhost slapd[1118]: SASL proxy authorize [conn=8]: 
authcid="saslauthzproxy" authzid="u:[EMAIL PROTECTED]"

Dec 25 13:21:54 localhost slapd[1118]: ==>slap_sasl_authorized: can uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local become[EMAIL PROTECTED],cn=digest-md5,cn=auth?Dec 25 13:21:54 localhost slapd[1118]: ==>slap_sasl_check_authz: does [EMAIL PROTECTED],cn=digest-md5,cn=auth matchauthzTo rule in uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local?

Dec 25 13:21:54 localhost slapd[1118]: => bdb_entry_get: ndn: 
"uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local"
Dec 25 13:21:54 localhost slapd[1118]: => bdb_entry_get: oc: "(null)", at: 
"authzTo"
Dec 25 13:21:54 localhost slapd[1118]: 
bdb_dn2entry("uid=saslauthzproxy,ou=daemons,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: bdb_entry_get: rc=0

Dec 25 13:21:54 localhost slapd[1118]: ===>slap_sasl_match: comparing DN [EMAIL PROTECTED],cn=digest-md5,cn=auth torule ldap:///ou=people,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)

Dec 25 13:21:54 localhost slapd[1118]: slap_parseURI: parsing 
ldap:///ou=people,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)
Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: 
<ou=people,dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: 
<ou=people,dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_match: performing internal 
search (base=ou=people,dc=mcbfa,dc=local, scope=2)
Dec 25 13:21:54 localhost slapd[1118]: => bdb_search
Dec 25 13:21:54 localhost slapd[1118]: 
bdb_dn2entry("ou=people,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: search_candidates: 
base="ou=people,dc=mcbfa,dc=local" (0x00000002) scope=2
Dec 25 13:21:54 localhost slapd[1118]: => 
bdb_dn2idl("ou=people,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: 
@ou=people,dc=mcbfa,dc=local
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_dn2idl: id=5 first=2 last=6
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [b49d1940]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read: failed (-30990)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [860433ad]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read 3 candidates
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=3, 
first=5, last=11
Dec 25 13:21:54 localhost slapd[1118]: bdb_search_candidates: id=2 first=5 
last=6
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=0 matched="" 
text=""
Dec 25 13:21:54 localhost slapd[1118]: <===slap_sasl_match: comparison returned 
48

Dec 25 13:21:54 localhost slapd[1118]: ===>slap_sasl_match: comparing DN [EMAIL PROTECTED],cn=digest-md5,cn=auth torule ldap:///ou=it,ou=people,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)Dec 25 13:21:54 localhost slapd[1118]: slap_parseURI: parsingldap:///ou=it,ou=people,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)

Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: 
<ou=it,ou=people,dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: 
<ou=it,ou=people,dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_match: performing internal 
search (base=ou=it,ou=people,dc=mcbfa,dc=local, scope=2)
Dec 25 13:21:54 localhost slapd[1118]: => bdb_search
Dec 25 13:21:54 localhost slapd[1118]: 
bdb_dn2entry("ou=it,ou=people,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: search_candidates: 
base="ou=it,ou=people,dc=mcbfa,dc=local" (0x00000003) scope=2
Dec 25 13:21:54 localhost slapd[1118]: => 
bdb_dn2idl("ou=it,ou=people,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: 
@ou=it,ou=people,dc=mcbfa,dc=local
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_dn2idl: id=3 first=3 last=6
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [b49d1940]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read: failed (-30990)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [860433ad]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read 3 candidates
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=3, 
first=5, last=11
Dec 25 13:21:54 localhost slapd[1118]: bdb_search_candidates: id=2 first=5 
last=6
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=0 matched="" 
text=""
Dec 25 13:21:54 localhost slapd[1118]: <===slap_sasl_match: comparison returned 
48

Dec 25 13:21:54 localhost slapd[1118]: ===>slap_sasl_match: comparing DN [EMAIL PROTECTED],cn=digest-md5,cn=auth torule ldap:///ou=daemons,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)

Dec 25 13:21:54 localhost slapd[1118]: slap_parseURI: parsing 
ldap:///ou=daemons,dc=mcbfa,dc=local??sub?(objectclass=inetOrgPerson)
Dec 25 13:21:54 localhost slapd[1118]: >>> dnNormalize: 
<ou=daemons,dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: <<< dnNormalize: 
<ou=daemons,dc=mcbfa,dc=local>
Dec 25 13:21:54 localhost slapd[1118]: slap_sasl_match: performing internal 
search (base=ou=daemons,dc=mcbfa,dc=local, scope=2)
Dec 25 13:21:54 localhost slapd[1118]: => bdb_search
Dec 25 13:21:54 localhost slapd[1118]: 
bdb_dn2entry("ou=daemons,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: search_candidates: 
base="ou=daemons,dc=mcbfa,dc=local" (0x00000007) scope=2
Dec 25 13:21:54 localhost slapd[1118]: => 
bdb_dn2idl("ou=daemons,dc=mcbfa,dc=local")
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: 
@ou=daemons,dc=mcbfa,dc=local
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_dn2idl: id=5 first=7 last=11
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [b49d1940]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read: failed (-30990)
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Dec 25 13:21:54 localhost slapd[1118]: => bdb_equality_candidates (objectClass)
Dec 25 13:21:54 localhost slapd[1118]: => key_read
Dec 25 13:21:54 localhost slapd[1118]: bdb_idl_fetch_key: [860433ad]
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_index_read 3 candidates
Dec 25 13:21:54 localhost slapd[1118]: <= bdb_equality_candidates: id=3, 
first=5, last=11
Dec 25 13:21:54 localhost slapd[1118]: bdb_search_candidates: id=1 first=11 
last=11
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=0 matched="" 
text=""
Dec 25 13:21:54 localhost slapd[1118]: <===slap_sasl_match: comparison returned 
48
Dec 25 13:21:54 localhost slapd[1118]: <==slap_sasl_check_authz: authzTo check 
returning 48
Dec 25 13:21:54 localhost slapd[1118]: <== slap_sasl_authorized: return 48
Dec 25 13:21:54 localhost slapd[1118]: SASL Proxy Authorize [conn=8]: proxy 
authorization disallowed (48)
Dec 25 13:21:54 localhost slapd[1118]: SASL [conn=8] Failure: not authorized
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: conn=8 op=1 p=3
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_result: err=50 matched="" 
text="SASL(-14): authorization failure: not authorized"
Dec 25 13:21:54 localhost slapd[1118]: send_ldap_response: msgid=2 tag=97 err=50
Dec 25 13:21:54 localhost slapd[1118]: <== slap_sasl_bind: rc=50
Dec 25 13:21:54 localhost slapd[1118]: connection_get(11)
Dec 25 13:21:54 localhost slapd[1118]: connection_get(11): got connid=8
Dec 25 13:21:54 localhost slapd[1118]: connection_read(11): checking for input 
on id=8
Dec 25 13:21:54 localhost slapd[1118]: ber_get_next on fd 11 failed errno=0 
(Success)
Dec 25 13:21:54 localhost slapd[1118]: connection_closing: readying conn=8 
sd=11 for close
Dec 25 13:21:54 localhost slapd[1118]: connection_close: conn=8 sd=-1

Где и что я упустил?

--
Peter Teslenko


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

proxy auth в ldap'е +SASL

Ответить