PROBLEM: can't use SASL to authentication openldap client

LI Ji D Mon, 21 Jun 2010 00:49:44 -0700

Hi,

   I'm using openldap 2.4.19 to set up an ldap server with sasl, but I
get some problems.


   I followed the instruction in
http://www.openldap.org/doc/admin24/sasl.html to do the installation.

   1. I install cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL
sample_client and sample_server to test my SASL installation before
attempting to make use of it with OpenLDAP Software.

   

   2. Then I install openldap with commands:

      #export CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include
-I/usr/local/sasl2/include" 

                            #export
LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib
-L/usr/local/sasl2/lib/sasl2"  

                            # export
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib"

                            #./configure --prefix=/usr/local/openldap
--sysconfdir=/etc/openldap --enable-passwd --enable-wrappers
--disable-ipv6 --enable-spasswd --enable-crypt --enable-modules
--enable-accesslog=yes

 

                            #make depend

                            #make

                            #make test

                            #make install

                            #cp
/usr/local/openldap/var/openldap-data/DB_CONFIG.example
/usr/local/openldap/var/openldap-data/DB_CONFIG

                            there is no error while install.

                            

          3. Then I configure the slapd.conf to be like this:

                         include
/usr/local/openldap/schema/core.schema

                            include
/usr/local/openldap/schema/cosine.schema

                            include
/usr/local/openldap/schema/inetorgperson.schema

                            include
/usr/local/openldap/schema/openldap.schema

                            include
/usr/local/openldap/schema/nis.schema

                            pidfile
/usr/local/openldap/slapd.1.pid

                            argsfile
/usr/local/openldap/slapd.1.args

 

                            authz-policy to

 

 

                            sasl-regexp     "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"

 

                            database      bdb

                            suffix          "dc=example,dc=com"

                            rootdn
"uid=111,cn=digest-md5,cn=auth"

                            

          4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:

                           pwcheck_method: auxprop

                            auxprop_plugin: sasldb

                            mech_list: plain login ntlm cram-md5
digest-md5

                            

          5. Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p 389', but fails with reason: user not found: no secret in database.
The log of slapd is:

          

          slap_listener_activate(7): 

>>> slap_listener(ldap:///)

connection_get(12): got connid=1

connection_read(12): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 32 contents:

op tag 0x60, time 1276849696

ber_get_next

conn=1 op=0 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=1] Debug: DIGEST-MD5 server step 1

send_ldap_sasl: err=14 len=180

send_ldap_response: msgid=1 tag=97 err=14

ber_flush2: 233 bytes to sd 12

<== slap_sasl_bind: rc=14

connection_get(12): got connid=1

connection_read(12): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 296 contents:

op tag 0x60, time 1276849697

ber_get_next

conn=1 op=1 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=1] Debug: DIGEST-MD5 server step 2

slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth

>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>

<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>

==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
a DN

==> rewrite_context_apply [depth=1]
string='uid=liji1,cn=digest-md5,cn=auth'

==> rewrite_rule_apply rule='^uid=([^,]+),.*'
string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]

==> rewrite_context_apply [depth=1]
res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}

slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)

>>> dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>

<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>

<==slap_sasl2dn: Converted SASL name to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

SASL [conn=1] Failure: no secret in database

send_ldap_result: conn=1 op=1 p=3

send_ldap_response: msgid=2 tag=97 err=49

ber_flush2: 70 bytes to sd 12

<== slap_sasl_bind: rc=49

connection_get(12): got connid=1

connection_read(12): checking for input on id=1

ber_get_next

ber_get_next on fd 12 failed errno=0 (Success)

connection_close: conn=1 sd=12

 

 

         What am I doing wrong?

Thanks 

liji

PROBLEM: can't use SASL to authentication openldap client

Reply via email to