[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SASL sasldb2 + LDAP problem

Posted on 2011-03-06
6
Medium Priority
?
1,599 Views
Last Modified: 2013-12-24
Hi!

Since a week I try to athenticate to ldap through SASL sasldb2, with auxprop plugin sasldb2....
I want to perform a sasldb2 (not through ldap) authentication and then map the user to a DN...
Maybe a regexp problem in the slapd.conf ??

PLEASE HELP :-))

THANKS
[root@filemon ~]# cat /etc/openldap/slapd.conf
##########
# Basics #
##########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
modulepath /usr/lib64/openldap
# modulepath /usr/local/libexec/openldap
moduleload back_hdb

###########
# SSL/TLS #
###########
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/openldap/filemon.eurosistemi.lan.cert.pem
TLSCertificateKeyFile /etc/openldap/filemon.eurosistemi.lan.key.pem

##############
# SASL       #
##############

sasl-realm filemon.eurosistemi.lan

#password-hash   {CLEARTEXT}

#authz-regexp "^uid=([^,]+).*,cn=auth$"
#             "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"

#authz-regexp
#          uid=(.*),cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
#          uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan


authz-regexp "^uid=([^,]+).*,cn=auth$"
               "ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)"

#authz-regexp
#         "uid=([^,]*),cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth"
#         "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"


##########################
# Database Configuration #
##########################

database hdb
suffix "dc=filemon,dc=eurosistemi,dc=lan"

rootdn "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan"
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

directory /var/lib/ldap


# directory /usr/local/var/openldap-data

index objectClass,cn eq



########
# ACLs #
########
access to attrs=userPassword
  by anonymous auth
  by self write
  by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
  by * none


access to *
       by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
       by self write
       by * none


##########################################################





[root@filemon ~]# sasldblistusers2
m.lattari@filemon.eurosistemi.lan: userPassword
Manager@filemon.eurosistemi.lan: userPassword



[root@filemon ~]# cat /etc/sasl2/slapd.conf
# SASL Configuration
log_level: -1
pwcheck_method:auxprop
auxprop_plugin:sasldb
sasldb_path:/etc/sasldb2
mech_list:DIGEST-MD5
#sasl-realm: filemon.eurosistemi.lan


[root@filemon ~]# ldapsearch -x -H ldaps://filemon.eurosistemi.lan -D "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" -b "ou=Users,dc=filemon,dc=eurosistemi,dc=lan" \
> -W "(uid=m.lattari)" -LLL
Enter LDAP Password:
dn: uid=m.lattari,ou=Users,dc=filemon,dc=eurosistemi,dc=lan
uid: m.lattari
cn: michael lattari
sn: lattari
givenName: michael
ou: Users
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson


[root@filemon ~]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap






[root@filemon ~]# pluginviewer
Installed SASL (server side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

Installed SASL (client side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of client plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION






[root@filemon ~]# ldapsearch -U m.lattari '(uid=m.lattari)' -v
ldap_initialize( <DEFAULT> )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database






Mar  6 09:23:57 filemon slapd[11510]: slap_listener_activate(7):
Mar  6 09:23:57 filemon slapd[11510]: >>> slap_listener(ldap://127.0.0.1/)
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x63, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=0 do_search
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: => send_search_entry: conn 3 dn=""
Mar  6 09:23:57 filemon slapd[11510]: <= send_search_entry: conn 3 exit.
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_result: conn=3 op=0 p=3
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=1 tag=101 err=0
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x60, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=1 do_bind
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:23:57 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 1
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_sasl: err=14 len=196
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=2 tag=97 err=14
Mar  6 09:23:57 filemon slapd[11510]: <== slap_sasl_bind: rc=14
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: op tag 0x60, time 1299399840
Mar  6 09:24:00 filemon slapd[11510]: conn=3 op=2 do_bind
Mar  6 09:24:00 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:24:00 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 2
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl_getdn: u:id converted to uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: ==>slap_sasl2dn: converting SASL name uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth to a DN
Mar  6 09:24:00 filemon slapd[11510]: slap_parseURI: parsing ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl2dn: performing internal search (base=dc=filemon,dc=eurosistemi,dc=lan, scope=2)
Mar  6 09:24:00 filemon slapd[11510]: => hdb_search
Mar  6 09:24:00 filemon slapd[11510]: bdb_dn2entry("dc=filemon,dc=eurosistemi,dc=lan")
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: <==slap_sasl2dn: Converted SASL name to <nothing>
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Failure: no secret in database
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_response: msgid=3 tag=97 err=49
Mar  6 09:24:00 filemon slapd[11510]: <== slap_sasl_bind: rc=49
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: ber_get_next on fd 12 failed errno=0 (Success)
Mar  6 09:24:00 filemon slapd[11510]: connection_close: conn=3 sd=12

Open in new window

0
Comment
Question by:mlattari
  • 2
3 Comments
 

Accepted Solution

by:
mlattari earned 0 total points
ID: 35123913
Please!

Where are all the EXPERTS ???

I have found the solution after two weeks of intensive documentation reading....
It is enough to add to the slapd.conf file this ACL rule:

access to *
 by peername.ip=127.0.0.1 =x (server side authentication access from ip 127.0.0.1)

very very strange that nobody helped me ....
0
 

Author Closing Comment

by:mlattari
ID: 35123918
please....where are the experts and for what I am paying ?!
0
 
LVL 1

Expert Comment

by:rockas1982
ID: 37407403
+1 on the last one
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes has been used since a very long time as an e-mail client and is very popular because of it's unmatched security. In this article we are going to learn about  RRV Bucket corruption and understand various methods to Fix "RRV Bucket Corrupt…
In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month19 days, 20 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question