Solved

SASL sasldb2 + LDAP problem

Posted on 2011-03-06
6
1,511 Views
Last Modified: 2013-12-24
Hi!

Since a week I try to athenticate to ldap through SASL sasldb2, with auxprop plugin sasldb2....
I want to perform a sasldb2 (not through ldap) authentication and then map the user to a DN...
Maybe a regexp problem in the slapd.conf ??

PLEASE HELP :-))

THANKS
[root@filemon ~]# cat /etc/openldap/slapd.conf
##########
# Basics #
##########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
modulepath /usr/lib64/openldap
# modulepath /usr/local/libexec/openldap
moduleload back_hdb

###########
# SSL/TLS #
###########
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/openldap/filemon.eurosistemi.lan.cert.pem
TLSCertificateKeyFile /etc/openldap/filemon.eurosistemi.lan.key.pem

##############
# SASL       #
##############

sasl-realm filemon.eurosistemi.lan

#password-hash   {CLEARTEXT}

#authz-regexp "^uid=([^,]+).*,cn=auth$"
#             "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"

#authz-regexp
#          uid=(.*),cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
#          uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan


authz-regexp "^uid=([^,]+).*,cn=auth$"
               "ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)"

#authz-regexp
#         "uid=([^,]*),cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth"
#         "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"


##########################
# Database Configuration #
##########################

database hdb
suffix "dc=filemon,dc=eurosistemi,dc=lan"

rootdn "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan"
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

directory /var/lib/ldap


# directory /usr/local/var/openldap-data

index objectClass,cn eq



########
# ACLs #
########
access to attrs=userPassword
  by anonymous auth
  by self write
  by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
  by * none


access to *
       by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
       by self write
       by * none


##########################################################





[root@filemon ~]# sasldblistusers2
m.lattari@filemon.eurosistemi.lan: userPassword
Manager@filemon.eurosistemi.lan: userPassword



[root@filemon ~]# cat /etc/sasl2/slapd.conf
# SASL Configuration
log_level: -1
pwcheck_method:auxprop
auxprop_plugin:sasldb
sasldb_path:/etc/sasldb2
mech_list:DIGEST-MD5
#sasl-realm: filemon.eurosistemi.lan


[root@filemon ~]# ldapsearch -x -H ldaps://filemon.eurosistemi.lan -D "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" -b "ou=Users,dc=filemon,dc=eurosistemi,dc=lan" \
> -W "(uid=m.lattari)" -LLL
Enter LDAP Password:
dn: uid=m.lattari,ou=Users,dc=filemon,dc=eurosistemi,dc=lan
uid: m.lattari
cn: michael lattari
sn: lattari
givenName: michael
ou: Users
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson


[root@filemon ~]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap






[root@filemon ~]# pluginviewer
Installed SASL (server side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

Installed SASL (client side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of client plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION






[root@filemon ~]# ldapsearch -U m.lattari '(uid=m.lattari)' -v
ldap_initialize( <DEFAULT> )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database






Mar  6 09:23:57 filemon slapd[11510]: slap_listener_activate(7):
Mar  6 09:23:57 filemon slapd[11510]: >>> slap_listener(ldap://127.0.0.1/)
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x63, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=0 do_search
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: => send_search_entry: conn 3 dn=""
Mar  6 09:23:57 filemon slapd[11510]: <= send_search_entry: conn 3 exit.
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_result: conn=3 op=0 p=3
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=1 tag=101 err=0
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x60, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=1 do_bind
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:23:57 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 1
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_sasl: err=14 len=196
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=2 tag=97 err=14
Mar  6 09:23:57 filemon slapd[11510]: <== slap_sasl_bind: rc=14
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: op tag 0x60, time 1299399840
Mar  6 09:24:00 filemon slapd[11510]: conn=3 op=2 do_bind
Mar  6 09:24:00 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:24:00 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 2
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl_getdn: u:id converted to uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: ==>slap_sasl2dn: converting SASL name uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth to a DN
Mar  6 09:24:00 filemon slapd[11510]: slap_parseURI: parsing ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl2dn: performing internal search (base=dc=filemon,dc=eurosistemi,dc=lan, scope=2)
Mar  6 09:24:00 filemon slapd[11510]: => hdb_search
Mar  6 09:24:00 filemon slapd[11510]: bdb_dn2entry("dc=filemon,dc=eurosistemi,dc=lan")
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: <==slap_sasl2dn: Converted SASL name to <nothing>
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Failure: no secret in database
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_response: msgid=3 tag=97 err=49
Mar  6 09:24:00 filemon slapd[11510]: <== slap_sasl_bind: rc=49
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: ber_get_next on fd 12 failed errno=0 (Success)
Mar  6 09:24:00 filemon slapd[11510]: connection_close: conn=3 sd=12

Open in new window

0
Comment
Question by:mlattari
  • 2
6 Comments
 

Accepted Solution

by:
mlattari earned 0 total points
ID: 35123913
Please!

Where are all the EXPERTS ???

I have found the solution after two weeks of intensive documentation reading....
It is enough to add to the slapd.conf file this ACL rule:

access to *
 by peername.ip=127.0.0.1 =x (server side authentication access from ip 127.0.0.1)

very very strange that nobody helped me ....
0
 

Author Closing Comment

by:mlattari
ID: 35123918
please....where are the experts and for what I am paying ?!
0
 
LVL 1

Expert Comment

by:rockas1982
ID: 37407403
+1 on the last one
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now