Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo User (http://www.linux-archive.org/gentoo-user/)
-   -   SASL LDAP (http://www.linux-archive.org/gentoo-user/115568-sasl-ldap.html)

06-29-2008 01:51 PM
SASL LDAP
 
I have an LDAP openldap server I'm trying to use for alfresco users
authentication, the set up was ok, then I recompiled openldap adding sasl
flag

For some reason the new setup points to an empty user database, where I
cannot load user data.

Looking for the reason why saslauth was looking in /etc/sasl2/sasl2db
instead of using Berkeley DB in /var/lib/openldap-data where ldapadd
successfully stored user data from LDIF file, I discovered that cyrus-sasl,
warned me about the database choice:

# You have both the 'gdbm' and 'berkdb' USE flags enabled.
# Will default to GNU DB as your SASLdb database backend.
# If you want to build with BerkeleyDB support, hit Control-C now,
# change your USE flags -gdbm and emerge again.

So I added this line in /etc/portage/package.use
dev-libs/cyrus-sasl -gdbm

and reinstalled cyrus-sasl.

The switch to SASL seemed to be ok on the LDAP side:

aemaeth / # ldapsearch -x -H ldap:// -b ' -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: SRP

aemaeth / # ldapsearch -x -H ldapi:// -b ' -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: SRP
supportedSASLMechanisms: EXTERNAL

But then I discovered that SASL was still looking in its database, this time
the error log shows that the database is no more in sasldb format (these are
the messages generated by ?ldapwhoami?):

Jun 29 15:30:50 aemaeth slapd[29062]: >>> slap_listener(ldap://)
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13)
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13): got connid=19
Jun 29 15:30:50 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19
Jun 29 15:30:50 aemaeth slapd[29062]: do_search
Jun 29 15:30:50 aemaeth slapd[29062]: >>> dnPrettyNormal: <>
Jun 29 15:30:50 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <>
Jun 29 15:30:50 aemaeth slapd[29062]: SRCH "" 0 0
Jun 29 15:30:50 aemaeth slapd[29062]: 0 0 0
Jun 29 15:30:50 aemaeth slapd[29062]: filter: (objectClass=*)
Jun 29 15:30:50 aemaeth slapd[29062]: attrs:
Jun 29 15:30:50 aemaeth slapd[29062]: supportedSASLMechanisms
Jun 29 15:30:50 aemaeth slapd[29062]:
Jun 29 15:30:50 aemaeth slapd[29062]: => send_search_entry: conn 19 dn=""
Jun 29 15:30:50 aemaeth slapd[29062]: <= send_search_entry: conn 19 exit.
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_result: conn=19 op=0 p=3
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_result: err=0 matched=""
text=""
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_response: msgid=1 tag=101
err=0
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13)
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13): got connid=19
Jun 29 15:30:50 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19
Jun 29 15:30:50 aemaeth slapd[29062]: do_bind
Jun 29 15:30:50 aemaeth slapd[29062]: >>> dnPrettyNormal: <>
Jun 29 15:30:50 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <>
Jun 29 15:30:50 aemaeth slapd[29062]: do_sasl_bind: dn () mech DIGEST-MD5
Jun 29 15:30:50 aemaeth slapd[29062]: ==> sasl_bind: dn="" mech=DIGEST-MD5
datalen=0
Jun 29 15:30:50 aemaeth slapd[29062]: SASL [conn=19] Debug: DIGEST-MD5
server step 1
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_sasl: err=14 len=191
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_response: msgid=2 tag=97
err=14
Jun 29 15:30:50 aemaeth slapd[29062]: <== slap_sasl_bind: rc=14
Jun 29 15:30:50 aemaeth ldapwhoami: DIGEST-MD5 client step 2
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13)
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13): got connid=19
Jun 29 15:30:52 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19
Jun 29 15:30:52 aemaeth slapd[29062]: do_bind
Jun 29 15:30:52 aemaeth slapd[29062]: >>> dnPrettyNormal: <>
Jun 29 15:30:52 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <>
Jun 29 15:30:52 aemaeth slapd[29062]: do_sasl_bind: dn () mech DIGEST-MD5
Jun 29 15:30:52 aemaeth slapd[29062]: ==> sasl_bind: dn="" mech=<continuing>
datalen=281
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Debug: DIGEST-MD5
server step 2
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]:
authcid="root"
Jun 29 15:30:52 aemaeth ldapwhoami: DIGEST-MD5 client step 2
Jun 29 15:30:52 aemaeth slapd[29062]: slap_sasl_getdn: conn 19 id=root
[len=4]
Jun 29 15:30:52 aemaeth slapd[29062]: slap_sasl_getdn: u:id converted to
uid=root,cn=DIGEST-MD5,cn=auth
Jun 29 15:30:52 aemaeth slapd[29062]: >>> dnNormalize:
<uid=root,cn=DIGEST-MD5,cn=auth>
Jun 29 15:30:52 aemaeth slapd[29062]: <<< dnNormalize:
<uid=root,cn=digest-md5,cn=auth>
Jun 29 15:30:52 aemaeth slapd[29062]: ==>slap_sasl2dn: converting SASL name
uid=root,cn=digest-md5,cn=auth to a DN
Jun 29 15:30:52 aemaeth slapd[29062]: slap_authz_regexp: converting SASL
name uid=root,cn=digest-md5,cn=auth
Jun 29 15:30:52 aemaeth slapd[29062]: <==slap_sasl2dn: Converted SASL name
to <nothing>
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]:
slapAuthcDN="uid=root,cn=digest-md5,cn=auth"
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open
Berkeley db /etc/sasl2/sasldb2: Invalid argument
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open
Berkeley db /etc/sasl2/sasldb2: Invalid argument
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open
Berkeley db /etc/sasl2/sasldb2: Invalid argument
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]:
authzid="root"
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Failure: no secret in
database
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_result: conn=19 op=2 p=3
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_result: err=49 matched=""
text="SASL(-13): user not found: no secret in database"
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_response: msgid=3 tag=97
err=49
Jun 29 15:30:52 aemaeth slapd[29062]: <== slap_sasl_bind: rc=49
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13)
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13): got connid=19
Jun 29 15:30:52 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19
Jun 29 15:30:52 aemaeth slapd[29062]: ber_get_next on fd 13 failed errno=0
(Success)
Jun 29 15:30:52 aemaeth slapd[29062]: connection_closing: readying conn=19
sd=13 for close
Jun 29 15:30:52 aemaeth slapd[29062]: connection_close: conn=19 sd=-1

?/etc/sasl2/sasl2db? is hardcoded into the library itself:
aemaeth ~ # strings /usr/lib64/sasl2/libsasldb.so.2.0.22 | grep sasldb2
/etc/sasl2/sasldb2

Moreover if I run ?slapcat? I can see all LDAP data, but in the error log
these lines appear:

Jun 29 15:33:24 aemaeth slapcat: sql_select option missing
Jun 29 15:33:24 aemaeth slapcat: auxpropfunc error no mechanism available
Jun 29 15:33:24 aemaeth slapcat: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: sql
Jun 29 15:33:24 aemaeth slapcat: auxpropfunc error invalid parameter
supplied
Jun 29 15:33:24 aemaeth slapcat: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb

However the plugins seem to be ok, according to pluginviewer:

aemaeth ~ # pluginviewer -a
Installed auxprop mechanisms are:
ldapdb sasldb sql
List of auxprop plugins follows
Plugin "ldapdb" , API version: 4
supports store: yes

Plugin "sasldb" , API version: 4
supports store: yes

Plugin "sql" , API version: 4
supports store: yes

saslauthd is running with the following config:
aemaeth ~ # cat /etc/sasl2/saslauthd.conf | grep -v ^# | grep -v ^$
ldap_servers: ldap://localhost:389/
ldap_version: 3
ldap_auth_method: bind
ldap_bind_dn: uid=admin,dc=secompower,dc=it
ldap_bind_pw: secret
ldap_search_base: dc=secompower,dc=it

Please help me, as I'm starting to be quite frustrated.

Thanks in advance
Francesco Talamona


--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Cerchi un hotel a Riccione, Rimini o Misano Adriatico ? Visita il sito
rivieraparkhotels.it . Gli alberghi dei parchi divertimento
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8008&d=20080629


--
gentoo-user@lists.gentoo.org mailing list


All times are GMT. The time now is 03:55 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.