Hello,
Thks for replying.
Now, i am proceeding with following steps but still getting an error:
Steps:
1> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
2> cat /etc/openladp/slapd.conf
password-hash {CLEARTEXT}
sasl-auxprops slapd
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
*Note:* ACL are given properly.
3> Then i'm trying to add user: cat add_sasl_accnt21.ldif
dn: uid=sasluser21,ou=System,o=xyz
uid: sasluser21
ou: System
description: Special account for SASL Testing
userPassword: sasluser21
objectClass: account
objectClass: simpleSecurityObject
ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
5> Now, when i do ldapsearch:
ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b
'uid=sasluser12,ou=System,o=xyz'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
In log file i got some clue: that its trying to use modify dn.
Have a look plz:
slapd[14125]: >>> dnPrettyNormal: <>
slapd[14125]: <<< dnPrettyNormal: <>, <>
slapd[14125]: conn=1228 op=1 BIND dn="" method=163
slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5
slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2
slapd[14125]: slap_sasl_getdn: u:id converted to
uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth
slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth>
slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth>
slapd[14125]: ==>slap_sasl2dn: converting SASL name
uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN
slapd[14125]: ==> rewrite_context_apply [depth=1]
string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth'
slapd[14125]: ==> rewrite_rule_apply
rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth'
string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)]
slapd[14125]: ==> rewrite_context_apply [depth=1]
res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'}
slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz
slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz>
slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz>
slapd[14125]: <==slap_sasl2dn: Converted SASL name to
uid=uid\3Dsasluser21,ou=system,o=xyz
slapd[14125]: slap_sasl_getdn: dn:id converted to
uid=uid\3Dsasluser21,ou=system,o=xyz
slapd[14125]: => bdb_search
slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz")
slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz")
slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
pair found (-30988)
slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz"
"entry" requested
slapd[14125]: => dn: [2] o=xyz
slapd[14125]: => dn: [3] ou=subscribers,o=xyz
slapd[14125]: => acl_get: [4] attr entry
slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry"
requested
slapd[14125]: => acl_mask: to all values by "", (=0)
slapd[14125]: <= check a_dn_pat: self
slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop)
slapd[14125]: => slap_access_allowed: disclose access denied by =0
slapd[14125]: => access_allowed: no more rules
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
slapd[14125]: SASL [conn=1228] Failure: no secret in database
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
In LDAP it storing perfectly fine:
ldapsearch -x -D cn=Manager,o=xyz -W -b 'uid=sasluser21,ou=System,o=xyz'
# sasluser21, System, xyz
dn: uid=sasluser21,ou=System,o=xyz
uid: sasluser21
ou: System
description: Special account for SASL Testing
userPassword:: c2FzbHVzZXIyMQ==
objectClass: account
objectClass: simpleSecurityObject
Now, Kindly suggest as proceeding in this direction too .... gave me an
error :( :(
Thanks and Regards,
Gaurav Gugnani
On Tue, Feb 7, 2012 at 8:37 PM, Dan White <[email protected]> wrote:
> On 02/07/12 11:01 +0530, Gaurav Gugnani wrote:
>
>> Hello All,
>>
>> Thks to all for helping me out. i hope now the destination is not too far
>> as i achieved the SASL but it is storing using sasldb.
>> However, i want it to store information in ldap direcotry.
>>
>> I've installed the corresponding package:
>> cyrus-sasl-ldap-2.1.22-5.el5_**4.3.x86_64.rpm
>>
>> Steps for SASL in LDAP using sasldb
>> ------------------------------**------------------------
>>
>> 1> saslpasswd2 -c sasluser14
>> 2> sasldblistusers2
>>
>
> I can't stress enough that these commands are going to confuse you when
> using slapd. There really are only a few advanced uses for using these
> commands in your desired environment.
>
>
> 3> service ldap stop
>>
>> 4> vi etc/openldap/slapd.conf
>> sasl-auxprops sasldb
>>
>
> This is the wrong thing to do. You should remove this option if you wish to
> have slapd use userPassword to authenticate your users. By specifying
> sasldb here, you're instructing slapd, by way of libsasl2, to authenticate
> your users against /etc/sasldb2.
>
> Also,
>
> sasl-auxprops ldapdb
>
> would also be the wrong thing to do. In addition to 'sasldb' and 'ldapdb',
> slapd implements it's own auxprop plugin called 'slapd' which is the
> default, and which Does the Right Thing (TM). However, be aware that
> 'slapd' will not show up in the output of pluginviewer (or at least I'm not
> aware of a way to make it do so).
>
>
> authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth
>> uid=$1,ou=System,o=xyz
>> - Give proper ACL to sasluser14
>>
>> 5> cat /usr/lib64/sasl2/slapd.conf
>> # SASL Configuration
>> pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>>
>
> Again this is the wrong thing to do. In recent versions of slapd this value
> is overridden by 'sasl-auxprops'.
>
> #auxprop_plugin: slapd
>>
>
> You should uncomment this, if using older versions of slapd. Few newer
> versions of slapd, 'sasl-auxprops' defaults to slapd.
>
>
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>>
>
> CRAM-MD5 and DIGEST-MD5 are fine here. If you really want to use PLAIN and
> LOGIN, specify a relaxed 'sasl-secprops' within your slapd configuration.
>
> sasldb_path: /etc/sasldb2
>>
>
> Unnecessary.
>
>
> 6> service ldap start
>>
>> 7> ps -eaf | grep -i ldap
>>
>> 8> vi add_sasl_accnt14.ldif
>> # TEST Account for SASL:
>> dn: uid=sasluser14,ou=System,o=xyz
>> uid: sasluser14
>> ou: System
>> description: Special account for SASL Testing
>> userPassword: sasluser14
>> objectClass: account
>> objectClass: simpleSecurityObject
>>
>> 9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
>>
>> 10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b
>> 'uid=sasluser7,ou=system,o=**xyz'
>>
>> But now the problem is - it is storing the users in sasldb. and we want to
>> use ldap directory.
>> Can any one please suggest - What changes i need to make to achieve it?
>>
>
> See above.
>
>
> On 02/07/12 16:43 +0530, Gaurav Gugnani wrote:
>
>> Hello All,
>>
>> i was working on this problem and figured out that ldapdb plugin auxprop
>> is
>> missing.
>>
>> /u01/app/openldap/product/2.4.**26/etc/openldap>pluginviewer
>> Installed SASL (server side) mechanisms are:
>> CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL
>> ...
>> Installed auxprop mechanisms are:
>> sasldb
>> List of auxprop plugins follows
>> Plugin "sasldb" , API version: 4
>> supports store: yes
>>
>> I read that to use such thing, ldapdb auxprop plugin should be enabled.
>> http://lists.andrew.cmu.edu/**pipermail/cyrus-sasl/2008-**
>> September/001552.html<http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html>
>>
>
> ldapdb should only be used from outside of slapd. For instance, if you were
> running a mail server that you wish to authenticate against slapd, then
> ldapdb would be appropriate.
>
> --
> Dan White
>
