Solved

SASL sasldb2 + LDAP problem

Posted on 2011-03-06
6
1,550 Views
Last Modified: 2013-12-24
Hi!

Since a week I try to athenticate to ldap through SASL sasldb2, with auxprop plugin sasldb2....
I want to perform a sasldb2 (not through ldap) authentication and then map the user to a DN...
Maybe a regexp problem in the slapd.conf ??

PLEASE HELP :-))

THANKS
[root@filemon ~]# cat /etc/openldap/slapd.conf
##########
# Basics #
##########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
modulepath /usr/lib64/openldap
# modulepath /usr/local/libexec/openldap
moduleload back_hdb

###########
# SSL/TLS #
###########
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/openldap/filemon.eurosistemi.lan.cert.pem
TLSCertificateKeyFile /etc/openldap/filemon.eurosistemi.lan.key.pem

##############
# SASL       #
##############

sasl-realm filemon.eurosistemi.lan

#password-hash   {CLEARTEXT}

#authz-regexp "^uid=([^,]+).*,cn=auth$"
#             "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"

#authz-regexp
#          uid=(.*),cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
#          uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan


authz-regexp "^uid=([^,]+).*,cn=auth$"
               "ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)"

#authz-regexp
#         "uid=([^,]*),cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth"
#         "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"


##########################
# Database Configuration #
##########################

database hdb
suffix "dc=filemon,dc=eurosistemi,dc=lan"

rootdn "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan"
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

directory /var/lib/ldap


# directory /usr/local/var/openldap-data

index objectClass,cn eq



########
# ACLs #
########
access to attrs=userPassword
  by anonymous auth
  by self write
  by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
  by * none


access to *
       by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
       by self write
       by * none


##########################################################





[root@filemon ~]# sasldblistusers2
m.lattari@filemon.eurosistemi.lan: userPassword
Manager@filemon.eurosistemi.lan: userPassword



[root@filemon ~]# cat /etc/sasl2/slapd.conf
# SASL Configuration
log_level: -1
pwcheck_method:auxprop
auxprop_plugin:sasldb
sasldb_path:/etc/sasldb2
mech_list:DIGEST-MD5
#sasl-realm: filemon.eurosistemi.lan


[root@filemon ~]# ldapsearch -x -H ldaps://filemon.eurosistemi.lan -D "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" -b "ou=Users,dc=filemon,dc=eurosistemi,dc=lan" \
> -W "(uid=m.lattari)" -LLL
Enter LDAP Password:
dn: uid=m.lattari,ou=Users,dc=filemon,dc=eurosistemi,dc=lan
uid: m.lattari
cn: michael lattari
sn: lattari
givenName: michael
ou: Users
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson


[root@filemon ~]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap






[root@filemon ~]# pluginviewer
Installed SASL (server side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

Installed SASL (client side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of client plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION






[root@filemon ~]# ldapsearch -U m.lattari '(uid=m.lattari)' -v
ldap_initialize( <DEFAULT> )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database






Mar  6 09:23:57 filemon slapd[11510]: slap_listener_activate(7):
Mar  6 09:23:57 filemon slapd[11510]: >>> slap_listener(ldap://127.0.0.1/)
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x63, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=0 do_search
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: => send_search_entry: conn 3 dn=""
Mar  6 09:23:57 filemon slapd[11510]: <= send_search_entry: conn 3 exit.
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_result: conn=3 op=0 p=3
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=1 tag=101 err=0
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x60, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=1 do_bind
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:23:57 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 1
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_sasl: err=14 len=196
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=2 tag=97 err=14
Mar  6 09:23:57 filemon slapd[11510]: <== slap_sasl_bind: rc=14
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: op tag 0x60, time 1299399840
Mar  6 09:24:00 filemon slapd[11510]: conn=3 op=2 do_bind
Mar  6 09:24:00 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:24:00 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 2
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl_getdn: u:id converted to uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: ==>slap_sasl2dn: converting SASL name uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth to a DN
Mar  6 09:24:00 filemon slapd[11510]: slap_parseURI: parsing ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl2dn: performing internal search (base=dc=filemon,dc=eurosistemi,dc=lan, scope=2)
Mar  6 09:24:00 filemon slapd[11510]: => hdb_search
Mar  6 09:24:00 filemon slapd[11510]: bdb_dn2entry("dc=filemon,dc=eurosistemi,dc=lan")
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: <==slap_sasl2dn: Converted SASL name to <nothing>
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Failure: no secret in database
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_response: msgid=3 tag=97 err=49
Mar  6 09:24:00 filemon slapd[11510]: <== slap_sasl_bind: rc=49
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: ber_get_next on fd 12 failed errno=0 (Success)
Mar  6 09:24:00 filemon slapd[11510]: connection_close: conn=3 sd=12

Open in new window

0
Comment
Question by:mlattari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 

Accepted Solution

by:
mlattari earned 0 total points
ID: 35123913
Please!

Where are all the EXPERTS ???

I have found the solution after two weeks of intensive documentation reading....
It is enough to add to the slapd.conf file this ACL rule:

access to *
 by peername.ip=127.0.0.1 =x (server side authentication access from ip 127.0.0.1)

very very strange that nobody helped me ....
0
 

Author Closing Comment

by:mlattari
ID: 35123918
please....where are the experts and for what I am paying ?!
0
 
LVL 1

Expert Comment

by:rockas1982
ID: 37407403
+1 on the last one
0

Featured Post

Webinar: MariaDB® Server 10.2: The Complete Guide

Join Percona’s Chief Evangelist, Colin Charles as he presents MariaDB Server 10.2: The Complete Guide on Tuesday, June 27, 2017 at 7:00 am PDT / 10:00 am EDT (UTC-7).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question