Hello Dan,
Thks for replying. But there is 1 Q's:
Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*
I executed ldapwhoami and here are the findings:
ldapwhoami -Y digest-md5 -U sasluser21
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
*Logs:*
ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5
ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2
ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to
uid=sasluser21,cn=DIGEST-MD5,cn=auth
ldap-test0 slapd[25625]: >>> dnNormalize:
<uid=sasluser21,cn=DIGEST-MD5,cn=auth>
ldap-test0 slapd[25625]: <<< dnNormalize:
<uid=sasluser21,cn=digest-md5,cn=auth>
ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name
uid=sasluser21,cn=digest-md5,cn=auth to a DN
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
string='uid=sasluser21,cn=digest-md5,cn=auth'
ldap-test0 slapd[25625]: ==> rewrite_rule_apply
rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=sasluser21,cn=digest-md5,cn=auth' [1 pass
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
res={0,'uid=sasluser21,ou=System,o=xyz'}
ldap-test0 slapd[25625]: slap_parseURI: parsing
uid=sasluser21,ou=System,o=xyz
ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=xyz>
ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=xyz>
ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to
uid=sasluser21,ou=system,o=xyz
ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to
uid=sasluser21,ou=system,o=xyz
ldap-test0 slapd[25625]: => bdb_search
ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,ou=system,o=xyz")
ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=system,o=xyz")
ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a
ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=xyz"
ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,ou=System,o=xyz)
ldap-test0 slapd[25625]: => access_allowed: auth access to
"uid=sasluser21,ou=System,o=xyz" "entry" requested
ldap-test0 slapd[25625]: => dn: [2] o=xyz
ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz
ldap-test0 slapd[25625]: => acl_get: [4] attr entry
ldap-test0 slapd[25625]: => acl_mask: access to entry
"uid=sasluser21,ou=System,o=xyz", attr "entry" requested
ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0)
ldap-test0 slapd[25625]: <= check a_dn_pat: self
ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0
(stop)
ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0
ldap-test0 slapd[25625]: => access_allowed: no more rules
On Wed, Feb 8, 2012 at 9:32 PM, Dan White <[email protected]> wrote:
> On 02/08/12 16:22 +0530, Gaurav Gugnani wrote:
>
>> Hello,
>>
>> Thks for replying.
>>
>> Now, i am proceeding with following steps but still getting an error:
>>
>> Steps:
>> 1> cat /usr/lib64/sasl2/slapd.conf
>> # SASL Configuration
>> pwcheck_method: auxprop
>> auxprop_plugin: slapd
>> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>>
>> 2> cat /etc/openladp/slapd.conf
>> password-hash {CLEARTEXT}
>> sasl-auxprops slapd
>> authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
>>
>> *Note:* ACL are given properly.
>>
>>
>> 3> Then i'm trying to add user: cat add_sasl_accnt21.ldif
>> dn: uid=sasluser21,ou=System,o=xyz
>> uid: sasluser21
>> ou: System
>> description: Special account for SASL Testing
>> userPassword: sasluser21
>> objectClass: account
>> objectClass: simpleSecurityObject
>>
>> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
>>
>> 5> Now, when i do ldapsearch:
>> ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b
>> 'uid=sasluser12,ou=System,o=**xyz'
>>
>
> You should be providing just the username with the -U option. I recommend
> using ldapwhoami to test your authz-regexp rules:
>
> ldapwhoami -Y digest-md5 -U sasluser21
>
>
> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>> additional info: SASL(-13): user not found: no secret in database
>>
>> In log file i got some clue: that its trying to use modify dn.
>>
>> Have a look plz:
>> slapd[14125]: >>> dnPrettyNormal: <>
>> slapd[14125]: <<< dnPrettyNormal: <>, <>
>> slapd[14125]: conn=1228 op=1 BIND dn="" method=163
>> slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5
>> slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2
>> slapd[14125]: slap_sasl_getdn: u:id converted to
>> uid=uid\3Dsasluser21,cn=**DIGEST-MD5,cn=auth
>> slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=**
>> DIGEST-MD5,cn=auth>
>> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=**
>> digest-md5,cn=auth>
>> slapd[14125]: ==>slap_sasl2dn: converting SASL name
>> uid=uid\3Dsasluser21,cn=**digest-md5,cn=auth to a DN
>> slapd[14125]: ==> rewrite_context_apply [depth=1]
>> string='uid=uid\3Dsasluser21,**cn=digest-md5,cn=auth'
>> slapd[14125]: ==> rewrite_rule_apply
>> rule='uid=([^,]*),cn=DIGEST-**MD5,cn=auth'
>> string='uid=uid\3Dsasluser21,**cn=digest-md5,cn=auth' [1 pass(es)]
>> slapd[14125]: ==> rewrite_context_apply [depth=1]
>> res={0,'uid=uid\3Dsasluser21,**ou=System,o=xyz'}
>> slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=**
>> System,o=xyz
>> slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=**System,o=xyz>
>> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=**system,o=xyz>
>> slapd[14125]: <==slap_sasl2dn: Converted SASL name to
>> uid=uid\3Dsasluser21,ou=**system,o=xyz
>> slapd[14125]: slap_sasl_getdn: dn:id converted to
>> uid=uid\3Dsasluser21,ou=**system,o=xyz
>> slapd[14125]: => bdb_search
>> slapd[14125]: bdb_dn2entry("uid=uid\**3Dsasluser21,ou=system,o=xyz")
>> slapd[14125]: => bdb_dn2id("uid=uid\**3Dsasluser21,ou=system,o=xyz")
>>
>
> Notice the uid=uid\3Dsasluser21... here, instead of the desired
> uid=sasluser21...
>
>
> slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
>> pair found (-30988)
>> slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz"
>> "entry" requested
>> slapd[14125]: => dn: [2] o=xyz
>> slapd[14125]: => dn: [3] ou=subscribers,o=xyz
>> slapd[14125]: => acl_get: [4] attr entry
>> slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry"
>> requested
>> slapd[14125]: => acl_mask: to all values by "", (=0)
>> slapd[14125]: <= check a_dn_pat: self
>> slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
>> slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
>> slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop)
>> slapd[14125]: => slap_access_allowed: disclose access denied by =0
>>
>
> You might need a more permissive (by anonymous auth) ACL here, for
> dn.base="ou=System,o=xyz" and "attrs=entry".
>
> See slapd.access(5).
>
>
> slapd[14125]: => access_allowed: no more rules
>> slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
>> slapd[14125]: SASL [conn=1228] Failure: no secret in database
>> slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
>>
>
> --
> Dan White
>
