Hi,
I tried again with following steps:
1. saslpasswd2 -c admin
2. configure slapd.conf:
sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth
uid=$1,ou=People,o=Ever
database bdb
suffix "ou=people,o=Ever"
rootdn "uid=admin,ou=People,o=Ever"
3. I use the following LDIF file
dn: o=Ever
o: Ever
description: Organization Root
objectClass: top
objectClass: organization
dn: ou=Staff, o=Ever
ou: Staff
description: These are privileged users that can interact with
Organization products
objectClass: top
objectClass: organizationalUnit
dn: ou=People, o=Ever
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=admin, ou=Staff, o=Ever
uid: admin
cn: LDAP Adminstrator
sn: admin
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
objectClass: Top
objectClass: Person
objectClass: Organizationalperson
objectClass: Inetorgperson
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
displayName: admin
mail: [email protected]
uid: admin
cn: Administrator
sn: admin
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
6.slapd log is :
slap_listener_activate(7):
>>> slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1277198750
ber_get_next
conn=0 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 233 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1277198752
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'uid=admin,ou=People,o=Ever'}
slap_parseURI: parsing uid=admin,ou=People,o=Ever
ldap_url_parse_ext(uid=admin,ou=People,o=Ever)
>>> dnNormalize: <uid=admin,ou=People,o=Ever>
<<< dnNormalize: <uid=admin,ou=people,o=ever>
<==slap_sasl2dn: Converted SASL name to uid=admin,ou=people,o=ever
slap_sasl_getdn: dn:id converted to uid=admin,ou=people,o=ever
=> bdb_search
bdb_dn2entry("uid=admin,ou=people,o=ever")
=> bdb_dn2id("ou=people,o=ever")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("uid=admin,ou=people,o=ever")
<= bdb_dn2id: got id=0x2
entry_decode: "uid=admin,ou=People,o=Ever"
<= entry_decode(uid=admin,ou=People,o=Ever)
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type
undefined
send_ldap_result: conn=0 op=1 p=3
SASL [conn=0] Failure: no secret in database
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 70 bytes to sd 12
<== slap_sasl_bind: rc=49
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_close: conn=0 sd=12
why would this happen?
-----Original Message-----
From: Dan White [mailto:[email protected]]
Sent: Tuesday, June 22, 2010 1:06 AM
To: LI Ji D
Cc: [email protected]
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
> 3. Then I configure the slapd.conf to be like this:
> authz-policy to
> sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
> database bdb
> suffix "dc=example,dc=com"
> rootdn "uid=111,cn=digest-md5,cn=auth"
>
> 4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
>
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: plain login ntlm cram-md5 digest-md5
>
> 5. Then I start slapd with command 'slapd -d 1', and run
>ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p
>389', but fails with reason: user not found: no secret in database.
> The log of slapd is:
>
>slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>
>>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
>
><<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
>
>==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth
to
>a DN
>slap_sasl_getdn: dn:id converted to
>uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
>
>SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb.
Is
it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of
syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your
/usr/lib/sasl2/slapd.conf:
log_level: 7
--
Dan White
