Hi All,
I hope now i'm only 1 step far:
I've enabled the ldapdb auxprop plugin.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer -a
Installed auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin "ldapdb" , API version: 4
supports store: yes
Plugin "sasldb" , API version: 4
supports store: yes
File modified (newly created): */usr/lib64/sasl2/pluginviewer.conf*
Now, its getting me to the different point:
Whatever i'm executing - its getting hanged for infinite time.
Example:
ldapsearch -x -D cn=Manager,o=xyz -W -b 'uid=sasluser21,ou=System,o=xyz'
Enter LDAP Password:
So, after taking its passwd ....no result :(
One more thing:
ldapwhoami -Y DIGEST-MD5 -U sasluser21 -H ldap://localhost
SASL/DIGEST-MD5 authentication started
*Same result - NO O/P.*
Plz help.
Thanks and Regards,
Gaurav Gugnani
On Tue, Feb 7, 2012 at 4:43 PM, Gaurav Gugnani <[email protected]>wrote:
> Hello All,
>
> i was working on this problem and figured out that ldapdb plugin auxprop
> is missing.
>
>
> /u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer
> Installed SASL (server side) mechanisms are:
> CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL
> ...
> Installed auxprop mechanisms are:
> sasldb
> List of auxprop plugins follows
> Plugin "sasldb" , API version: 4
> supports store: yes
>
> I read that to use such thing, ldapdb auxprop plugin should be enabled.
> http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
>
> The package has been installed and the below files are there:
> libldapdb.la
> libldapdb.so.2.0.22
> libldapdb.so.2
> libldapdb.so
>
> Please help me, how to set SASL using ldap directory.
>
> Thks for your help.
>
> Regards,
> Gaurav Gugnani
>
>
> On Tue, Feb 7, 2012 at 11:01 AM, Gaurav Gugnani
> <[email protected]>wrote:
>
>> Hello All,
>>
>> Thks to all for helping me out. i hope now the destination is not too far
>> as i achieved the SASL but it is storing using sasldb.
>> However, i want it to store information in ldap direcotry.
>>
>> I've installed the corresponding package:
>> cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
>>
>> Steps for SASL in LDAP using sasldb
>> ------------------------------------------------------
>>
>> 1> saslpasswd2 -c sasluser14
>> 2> sasldblistusers2
>>
>> 3> service ldap stop
>>
>> 4> vi etc/openldap/slapd.conf
>> sasl-auxprops sasldb
>>
>> authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth
>> uid=$1,ou=System,o=xyz
>> - Give proper ACL to sasluser14
>>
>> 5> cat /usr/lib64/sasl2/slapd.conf
>> # SASL Configuration
>> pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>> #auxprop_plugin: slapd
>> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>> sasldb_path: /etc/sasldb2
>>
>> 6> service ldap start
>>
>> 7> ps -eaf | grep -i ldap
>>
>> 8> vi add_sasl_accnt14.ldif
>>
>> # TEST Account for SASL:
>> dn: uid=sasluser14,ou=System,o=xyz
>> uid: sasluser14
>>
>> ou: System
>> description: Special account for SASL Testing
>> userPassword: sasluser14
>> objectClass: account
>> objectClass: simpleSecurityObject
>>
>> 9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
>>
>> 10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b
>> 'uid=sasluser7,ou=system,o=xyz'
>>
>> But now the problem is - it is storing the users in sasldb. and we want
>> to use ldap directory.
>> Can any one please suggest - What changes i need to make to achieve it?
>>
>>
>> Thks a lot for your support.
>>
>> Regards,
>> Gaurav Gugnani
>>
>> On Mon, Feb 6, 2012 at 9:17 PM, Dan White <[email protected]> wrote:
>>
>>> On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
>>>
>>>> Hello All,
>>>>
>>>> Thks for helping me out, however i'm still stuck in middle of it and the
>>>> issue has not yet resolved.
>>>>
>>>
>>> You should run your server in debug mode to determine what's going awry.
>>>
>>> *Error:*
>>>>
>>>> /u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -Y
>>>> DIGEST-MD5 -U
>>>> sasluser7 -b 'o=xyz'
>>>> SASL/DIGEST-MD5 authentication started
>>>> Please enter your password:
>>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>> additional info: SASL(-13): user not found: no secret in database
>>>>
>>>> I checked for ACL and also now i'm using authz with following lines:
>>>>
>>>> authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth uid=$1,ou=System,o=xyz
>>>>
>>>> access to attrs="userpassword"
>>>> by self write
>>>> by anonymous auth
>>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>>> access to dn.base="o=xyz"
>>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>>> by users read
>>>> access to dn.subtree="ou=Subscribers,o=**xyz"
>>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>>> access to *
>>>> by self write
>>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>>>
>>>> I hope it is fine.
>>>>
>>>
>>> I have 'by anonymous auth' on the following:
>>>
>>> access to dn.base="ou=people,dc=example,**dc=net"
>>> access to attrs=userPassword
>>> access to attrs=authzTo
>>> access to attrs=objectClass
>>> access to attrs=entry,uidNumber
>>>
>>> You could determine if that's sufficient for you piecemeal wise but,
>>> again,
>>> use debug output to figure it out. For example:
>>>
>>> slapd -d -1 -h ldap:/// -u openldap -g openldap
>>>
>>> See the manpage for slapd for details.
>>>
>>>
>>> Moreover, we can say that the user is created:
>>>> /u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -W -D
>>>> 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=**xyz'
>>>> Enter LDAP Password:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <uid=sasluser7,ou=System,o=**xyz> with scope subtree
>>>> # filter: (objectclass=*)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # sasluser7, System, xyz
>>>> dn: uid=sasluser7,ou=System,o=xyz
>>>> uid: sasluser7
>>>> ou: System
>>>> description: Special account for SASL Testing
>>>> userPassword:: c2FzbVHzZXI3
>>>>
>>>
>>> Be aware that the above is a simple uuencoding of your password. It
>>> should
>>> now be considered publicly known.
>>>
>>>
>>> objectClass: account
>>>> objectClass: simpleSecurityObject
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>> Also, i would like to highlight one thing:
>>>>
>>>> That when i check for sasl dblist users - it thorws me an error. Can
>>>> that
>>>> be an issue point?
>>>> /u01/app/openldap/product/2.4.**26/etc/openldap>**sasldblistusers
>>>> -bash: sasldblistusers: command not found
>>>>
>>>
>>> Any of the cyrus sasl* commands are most likely doing the wrong thing,
>>> which default to using the sasldb auxprop store (which uses /etc/sasldb2)
>>> rather that slapd or ldapdb. I would not use them at this point as
>>> they're
>>> bound to confuse the matter.
>>>
>>> --
>>> Dan White
>>>
>>
>>
>
