Solved

SASL sasldb2 + LDAP problem

Posted on 2011-03-06
6
1,503 Views
Last Modified: 2013-12-24
Hi!

Since a week I try to athenticate to ldap through SASL sasldb2, with auxprop plugin sasldb2....
I want to perform a sasldb2 (not through ldap) authentication and then map the user to a DN...
Maybe a regexp problem in the slapd.conf ??

PLEASE HELP :-))

THANKS
[root@filemon ~]# cat /etc/openldap/slapd.conf
##########
# Basics #
##########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
modulepath /usr/lib64/openldap
# modulepath /usr/local/libexec/openldap
moduleload back_hdb

###########
# SSL/TLS #
###########
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/openldap/filemon.eurosistemi.lan.cert.pem
TLSCertificateKeyFile /etc/openldap/filemon.eurosistemi.lan.key.pem

##############
# SASL       #
##############

sasl-realm filemon.eurosistemi.lan

#password-hash   {CLEARTEXT}

#authz-regexp "^uid=([^,]+).*,cn=auth$"
#             "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"

#authz-regexp
#          uid=(.*),cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
#          uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan


authz-regexp "^uid=([^,]+).*,cn=auth$"
               "ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)"

#authz-regexp
#         "uid=([^,]*),cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth"
#         "uid=$1,ou=Users,dc=filemon,dc=eurosistemi,dc=lan"


##########################
# Database Configuration #
##########################

database hdb
suffix "dc=filemon,dc=eurosistemi,dc=lan"

rootdn "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan"
rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==

directory /var/lib/ldap


# directory /usr/local/var/openldap-data

index objectClass,cn eq



########
# ACLs #
########
access to attrs=userPassword
  by anonymous auth
  by self write
  by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
  by * none


access to *
       by dn="cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" write
       by self write
       by * none


##########################################################





[root@filemon ~]# sasldblistusers2
m.lattari@filemon.eurosistemi.lan: userPassword
Manager@filemon.eurosistemi.lan: userPassword



[root@filemon ~]# cat /etc/sasl2/slapd.conf
# SASL Configuration
log_level: -1
pwcheck_method:auxprop
auxprop_plugin:sasldb
sasldb_path:/etc/sasldb2
mech_list:DIGEST-MD5
#sasl-realm: filemon.eurosistemi.lan


[root@filemon ~]# ldapsearch -x -H ldaps://filemon.eurosistemi.lan -D "cn=Manager,dc=filemon,dc=eurosistemi,dc=lan" -b "ou=Users,dc=filemon,dc=eurosistemi,dc=lan" \
> -W "(uid=m.lattari)" -LLL
Enter LDAP Password:
dn: uid=m.lattari,ou=Users,dc=filemon,dc=eurosistemi,dc=lan
uid: m.lattari
cn: michael lattari
sn: lattari
givenName: michael
ou: Users
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson


[root@filemon ~]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap






[root@filemon ~]# pluginviewer
Installed SASL (server side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

Installed SASL (client side) mechanisms are:
DIGEST-MD5 ANONYMOUS CRAM-MD5 EXTERNAL
List of client plugins follows
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "EXTERNAL" [loaded],     API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION






[root@filemon ~]# ldapsearch -U m.lattari '(uid=m.lattari)' -v
ldap_initialize( <DEFAULT> )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database






Mar  6 09:23:57 filemon slapd[11510]: slap_listener_activate(7):
Mar  6 09:23:57 filemon slapd[11510]: >>> slap_listener(ldap://127.0.0.1/)
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x63, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=0 do_search
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: => send_search_entry: conn 3 dn=""
Mar  6 09:23:57 filemon slapd[11510]: <= send_search_entry: conn 3 exit.
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_result: conn=3 op=0 p=3
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=1 tag=101 err=0
Mar  6 09:23:57 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:23:57 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:23:57 filemon slapd[11510]: op tag 0x60, time 1299399837
Mar  6 09:23:57 filemon slapd[11510]: conn=3 op=1 do_bind
Mar  6 09:23:57 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:23:57 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:23:57 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:23:57 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 1
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_sasl: err=14 len=196
Mar  6 09:23:57 filemon slapd[11510]: send_ldap_response: msgid=2 tag=97 err=14
Mar  6 09:23:57 filemon slapd[11510]: <== slap_sasl_bind: rc=14
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: op tag 0x60, time 1299399840
Mar  6 09:24:00 filemon slapd[11510]: conn=3 op=2 do_bind
Mar  6 09:24:00 filemon slapd[11510]: >>> dnPrettyNormal: <>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnPrettyNormal: <>, <>
Mar  6 09:24:00 filemon slapd[11510]: do_bind: dn () SASL mech DIGEST-MD5
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Debug: DIGEST-MD5 server step 2
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl_getdn: u:id converted to uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=DIGEST-MD5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth>
Mar  6 09:24:00 filemon slapd[11510]: ==>slap_sasl2dn: converting SASL name uid=m.lattari,cn=filemon.eurosistemi.lan,cn=digest-md5,cn=auth to a DN
Mar  6 09:24:00 filemon slapd[11510]: slap_parseURI: parsing ldap:///dc=filemon,dc=eurosistemi,dc=lan??sub?(uid=matt)
Mar  6 09:24:00 filemon slapd[11510]: >>> dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: <<< dnNormalize: <dc=filemon,dc=eurosistemi,dc=lan>
Mar  6 09:24:00 filemon slapd[11510]: slap_sasl2dn: performing internal search (base=dc=filemon,dc=eurosistemi,dc=lan, scope=2)
Mar  6 09:24:00 filemon slapd[11510]: => hdb_search
Mar  6 09:24:00 filemon slapd[11510]: bdb_dn2entry("dc=filemon,dc=eurosistemi,dc=lan")
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: <==slap_sasl2dn: Converted SASL name to <nothing>
Mar  6 09:24:00 filemon slapd[11510]: SASL [conn=3] Failure: no secret in database
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_result: conn=3 op=2 p=3
Mar  6 09:24:00 filemon slapd[11510]: send_ldap_response: msgid=3 tag=97 err=49
Mar  6 09:24:00 filemon slapd[11510]: <== slap_sasl_bind: rc=49
Mar  6 09:24:00 filemon slapd[11510]: connection_get(12): got connid=3
Mar  6 09:24:00 filemon slapd[11510]: connection_read(12): checking for input on id=3
Mar  6 09:24:00 filemon slapd[11510]: ber_get_next on fd 12 failed errno=0 (Success)
Mar  6 09:24:00 filemon slapd[11510]: connection_close: conn=3 sd=12

Open in new window

0
Comment
Question by:mlattari
  • 2
6 Comments
 

Accepted Solution

by:
mlattari earned 0 total points
Comment Utility
Please!

Where are all the EXPERTS ???

I have found the solution after two weeks of intensive documentation reading....
It is enough to add to the slapd.conf file this ACL rule:

access to *
 by peername.ip=127.0.0.1 =x (server side authentication access from ip 127.0.0.1)

very very strange that nobody helped me ....
0
 

Author Closing Comment

by:mlattari
Comment Utility
please....where are the experts and for what I am paying ?!
0
 
LVL 1

Expert Comment

by:rockas1982
Comment Utility
+1 on the last one
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now