[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1606
  • Last Modified:

SASL sasldb2 + LDAP problem

Hi!

Since a week I try to athenticate to ldap through SASL sasldb2, with auxprop plugin sasldb2....
I want to perform a sasldb2 (not through ldap) authentication and then map the user to a DN...
Maybe a regexp problem in the slapd.conf ??

PLEASE HELP :-))

THANKS
[root@filemon ~]# cat /etc/openldap/slapd.conf
##########
# Basics #
##########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
modulepath /usr/lib64/openldap
# modulepath /usr/local/libexec/openldap
moduleload back_hdb

###########
# SSL/TLS #
###########
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/openldap/filemon.eurosistemi.lan.cert.pem
TLSCertificateKeyFile /etc/openldap/filemon.eurosistemi.lan.key.pem

##############
# SASL       #
##############

sasl-realm filemon.eurosistemi.lan

#password-hash   {CLEARTEXT}

#authz-regexp "^uid=([^,]+).*,cn=auth$"
#             "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"

#authz-regexp
#          uid=(.*),cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
#          uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan


authz-regexp "^uid=([^,]+).*,cn=auth$"
               "ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)"

#authz-regexp
#         "uid=([^,]*),cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth"
#         "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"


##########################
# Database Configuration #
##########################

database hdb
suffix "dc=filemon,dc=eurosistemi,dc=lan"

rootdn "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan"
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

directory /var/lib/ldap


# directory /usr/local/var/openldap-data

index objectClass,cn eq



########
# ACLs #
########
access to attrs=userPassword
  by anonymous auth
  by self write
  by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
  by * none


access to *
       by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
       by self write
       by * none


##########################################################





[root@filemon ~]# sasldblistusers2
m.lattari@filemon.eurosistemi.lan: userPassword
Manager@filemon.eurosistemi.lan: userPassword



[root@filemon ~]# cat /etc/sasl2/slapd.conf
# SASL Configuration
log_level: -1
pwcheck_method:auxprop
auxprop_plugin:sasldb
sasldb_path:/etc/sasldb2
mech_list:DIGEST-MD5
#sasl-realm: filemon.eurosistemi.lan


[root@filemon ~]# ldapsearch -x -H ldaps://filemon.eurosistemi.lan -D "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" -b "ou=Users,dc=filemon,dc=eurosistemi,dc=lan" \
> -W "(uid=m.lattari)" -LLL
Enter LDAP Password:
dn: uid=m.lattari,ou=Users,dc=filemon,dc=eurosistemi,dc=lan
uid: m.lattari
cn: michael lattari
sn: lattari
givenName: michael
ou: Users
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson


[root@filemon ~]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap






[root@filemon ~]# pluginviewer
Installed SASL (server side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

Installed SASL (client side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of client plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION






[root@filemon ~]# ldapsearch -U m.lattari '(uid=m.lattari)' -v
ldap_initialize( <DEFAULT> )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database






Mar  6 09:23:57 filemon slapd[11510]: slap_listener_activate(7):
Mar  6 09:23:57 filemon slapd[11510]: >>> slap_listener(ldap://127.0.0.1/)
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x63, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=0 do_search
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: => send_search_entry: conn 3 dn=""
Mar  6 09:23:57 filemon slapd[11510]: <= send_search_entry: conn 3 exit.
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_result: conn=3 op=0 p=3
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=1 tag=101 err=0
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x60, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=1 do_bind
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:23:57 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 1
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_sasl: err=14 len=196
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=2 tag=97 err=14
Mar  6 09:23:57 filemon slapd[11510]: <== slap_sasl_bind: rc=14
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: op tag 0x60, time 1299399840
Mar  6 09:24:00 filemon slapd[11510]: conn=3 op=2 do_bind
Mar  6 09:24:00 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:24:00 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 2
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl_getdn: u:id converted to uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: ==>slap_sasl2dn: converting SASL name uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth to a DN
Mar  6 09:24:00 filemon slapd[11510]: slap_parseURI: parsing ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl2dn: performing internal search (base=dc=filemon,dc=eurosistemi,dc=lan, scope=2)
Mar  6 09:24:00 filemon slapd[11510]: => hdb_search
Mar  6 09:24:00 filemon slapd[11510]: bdb_dn2entry("dc=filemon,dc=eurosistemi,dc=lan")
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: <==slap_sasl2dn: Converted SASL name to <nothing>
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Failure: no secret in database
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_response: msgid=3 tag=97 err=49
Mar  6 09:24:00 filemon slapd[11510]: <== slap_sasl_bind: rc=49
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: ber_get_next on fd 12 failed errno=0 (Success)
Mar  6 09:24:00 filemon slapd[11510]: connection_close: conn=3 sd=12

Open in new window

0
mlattari
Asked:
mlattari
  • 2
1 Solution
 
mlattariAuthor Commented:
Please!

Where are all the EXPERTS ???

I have found the solution after two weeks of intensive documentation reading....
It is enough to add to the slapd.conf file this ACL rule:

access to *
 by peername.ip=127.0.0.1 =x (server side authentication access from ip 127.0.0.1)

very very strange that nobody helped me ....
0
 
mlattariAuthor Commented:
please....where are the experts and for what I am paying ?!
0
 
rockas1982Commented:
+1 on the last one
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now