1 |
I have an LDAP openldap server I'm trying to use for alfresco users |
2 |
authentication, the set up was ok, then I recompiled openldap adding sasl |
3 |
flag |
4 |
|
5 |
For some reason the new setup points to an empty user database, where I |
6 |
cannot load user data. |
7 |
|
8 |
Looking for the reason why saslauth was looking in /etc/sasl2/sasl2db |
9 |
instead of using Berkeley DB in /var/lib/openldap-data where ldapadd |
10 |
successfully stored user data from LDIF file, I discovered that cyrus-sasl, |
11 |
warned me about the database choice: |
12 |
|
13 |
# You have both the 'gdbm' and 'berkdb' USE flags enabled. |
14 |
# Will default to GNU DB as your SASLdb database backend. |
15 |
# If you want to build with BerkeleyDB support, hit Control-C now, |
16 |
# change your USE flags -gdbm and emerge again. |
17 |
|
18 |
So I added this line in /etc/portage/package.use |
19 |
dev-libs/cyrus-sasl -gdbm |
20 |
|
21 |
and reinstalled cyrus-sasl. |
22 |
|
23 |
The switch to SASL seemed to be ok on the LDAP side: |
24 |
|
25 |
aemaeth / # ldapsearch -x -H ldap:// -b '' -s base -LLL |
26 |
supportedSASLMechanisms |
27 |
dn: |
28 |
supportedSASLMechanisms: ANONYMOUS |
29 |
supportedSASLMechanisms: CRAM-MD5 |
30 |
supportedSASLMechanisms: DIGEST-MD5 |
31 |
supportedSASLMechanisms: LOGIN |
32 |
supportedSASLMechanisms: PLAIN |
33 |
supportedSASLMechanisms: NTLM |
34 |
supportedSASLMechanisms: SRP |
35 |
|
36 |
aemaeth / # ldapsearch -x -H ldapi:// -b '' -s base -LLL |
37 |
supportedSASLMechanisms |
38 |
dn: |
39 |
supportedSASLMechanisms: ANONYMOUS |
40 |
supportedSASLMechanisms: CRAM-MD5 |
41 |
supportedSASLMechanisms: DIGEST-MD5 |
42 |
supportedSASLMechanisms: LOGIN |
43 |
supportedSASLMechanisms: PLAIN |
44 |
supportedSASLMechanisms: NTLM |
45 |
supportedSASLMechanisms: SRP |
46 |
supportedSASLMechanisms: EXTERNAL |
47 |
|
48 |
But then I discovered that SASL was still looking in its database, this time |
49 |
the error log shows that the database is no more in sasldb format (these are |
50 |
the messages generated by “ldapwhoami”): |
51 |
|
52 |
Jun 29 15:30:50 aemaeth slapd[29062]: >>> slap_listener(ldap://) |
53 |
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13) |
54 |
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13): got connid=19 |
55 |
Jun 29 15:30:50 aemaeth slapd[29062]: connection_read(13): checking for |
56 |
input on id=19 |
57 |
Jun 29 15:30:50 aemaeth slapd[29062]: do_search |
58 |
Jun 29 15:30:50 aemaeth slapd[29062]: >>> dnPrettyNormal: <> |
59 |
Jun 29 15:30:50 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <> |
60 |
Jun 29 15:30:50 aemaeth slapd[29062]: SRCH "" 0 0 |
61 |
Jun 29 15:30:50 aemaeth slapd[29062]: 0 0 0 |
62 |
Jun 29 15:30:50 aemaeth slapd[29062]: filter: (objectClass=*) |
63 |
Jun 29 15:30:50 aemaeth slapd[29062]: attrs: |
64 |
Jun 29 15:30:50 aemaeth slapd[29062]: supportedSASLMechanisms |
65 |
Jun 29 15:30:50 aemaeth slapd[29062]: |
66 |
Jun 29 15:30:50 aemaeth slapd[29062]: => send_search_entry: conn 19 dn="" |
67 |
Jun 29 15:30:50 aemaeth slapd[29062]: <= send_search_entry: conn 19 exit. |
68 |
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_result: conn=19 op=0 p=3 |
69 |
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_result: err=0 matched="" |
70 |
text="" |
71 |
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_response: msgid=1 tag=101 |
72 |
err=0 |
73 |
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13) |
74 |
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13): got connid=19 |
75 |
Jun 29 15:30:50 aemaeth slapd[29062]: connection_read(13): checking for |
76 |
input on id=19 |
77 |
Jun 29 15:30:50 aemaeth slapd[29062]: do_bind |
78 |
Jun 29 15:30:50 aemaeth slapd[29062]: >>> dnPrettyNormal: <> |
79 |
Jun 29 15:30:50 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <> |
80 |
Jun 29 15:30:50 aemaeth slapd[29062]: do_sasl_bind: dn () mech DIGEST-MD5 |
81 |
Jun 29 15:30:50 aemaeth slapd[29062]: ==> sasl_bind: dn="" mech=DIGEST-MD5 |
82 |
datalen=0 |
83 |
Jun 29 15:30:50 aemaeth slapd[29062]: SASL [conn=19] Debug: DIGEST-MD5 |
84 |
server step 1 |
85 |
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_sasl: err=14 len=191 |
86 |
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_response: msgid=2 tag=97 |
87 |
err=14 |
88 |
Jun 29 15:30:50 aemaeth slapd[29062]: <== slap_sasl_bind: rc=14 |
89 |
Jun 29 15:30:50 aemaeth ldapwhoami: DIGEST-MD5 client step 2 |
90 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13) |
91 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13): got connid=19 |
92 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_read(13): checking for |
93 |
input on id=19 |
94 |
Jun 29 15:30:52 aemaeth slapd[29062]: do_bind |
95 |
Jun 29 15:30:52 aemaeth slapd[29062]: >>> dnPrettyNormal: <> |
96 |
Jun 29 15:30:52 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <> |
97 |
Jun 29 15:30:52 aemaeth slapd[29062]: do_sasl_bind: dn () mech DIGEST-MD5 |
98 |
Jun 29 15:30:52 aemaeth slapd[29062]: ==> sasl_bind: dn="" mech=<continuing> |
99 |
datalen=281 |
100 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Debug: DIGEST-MD5 |
101 |
server step 2 |
102 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]: |
103 |
authcid="root" |
104 |
Jun 29 15:30:52 aemaeth ldapwhoami: DIGEST-MD5 client step 2 |
105 |
Jun 29 15:30:52 aemaeth slapd[29062]: slap_sasl_getdn: conn 19 id=root |
106 |
[len=4] |
107 |
Jun 29 15:30:52 aemaeth slapd[29062]: slap_sasl_getdn: u:id converted to |
108 |
uid=root,cn=DIGEST-MD5,cn=auth |
109 |
Jun 29 15:30:52 aemaeth slapd[29062]: >>> dnNormalize: |
110 |
<uid=root,cn=DIGEST-MD5,cn=auth> |
111 |
Jun 29 15:30:52 aemaeth slapd[29062]: <<< dnNormalize: |
112 |
<uid=root,cn=digest-md5,cn=auth> |
113 |
Jun 29 15:30:52 aemaeth slapd[29062]: ==>slap_sasl2dn: converting SASL name |
114 |
uid=root,cn=digest-md5,cn=auth to a DN |
115 |
Jun 29 15:30:52 aemaeth slapd[29062]: slap_authz_regexp: converting SASL |
116 |
name uid=root,cn=digest-md5,cn=auth |
117 |
Jun 29 15:30:52 aemaeth slapd[29062]: <==slap_sasl2dn: Converted SASL name |
118 |
to <nothing> |
119 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]: |
120 |
slapAuthcDN="uid=root,cn=digest-md5,cn=auth" |
121 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open |
122 |
Berkeley db /etc/sasl2/sasldb2: Invalid argument |
123 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open |
124 |
Berkeley db /etc/sasl2/sasldb2: Invalid argument |
125 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open |
126 |
Berkeley db /etc/sasl2/sasldb2: Invalid argument |
127 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]: |
128 |
authzid="root" |
129 |
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Failure: no secret in |
130 |
database |
131 |
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_result: conn=19 op=2 p=3 |
132 |
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_result: err=49 matched="" |
133 |
text="SASL(-13): user not found: no secret in database" |
134 |
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_response: msgid=3 tag=97 |
135 |
err=49 |
136 |
Jun 29 15:30:52 aemaeth slapd[29062]: <== slap_sasl_bind: rc=49 |
137 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13) |
138 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13): got connid=19 |
139 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_read(13): checking for |
140 |
input on id=19 |
141 |
Jun 29 15:30:52 aemaeth slapd[29062]: ber_get_next on fd 13 failed errno=0 |
142 |
(Success) |
143 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_closing: readying conn=19 |
144 |
sd=13 for close |
145 |
Jun 29 15:30:52 aemaeth slapd[29062]: connection_close: conn=19 sd=-1 |
146 |
|
147 |
“/etc/sasl2/sasl2db” is hardcoded into the library itself: |
148 |
aemaeth ~ # strings /usr/lib64/sasl2/libsasldb.so.2.0.22 | grep sasldb2 |
149 |
/etc/sasl2/sasldb2 |
150 |
|
151 |
Moreover if I run “slapcat” I can see all LDAP data, but in the error log |
152 |
these lines appear: |
153 |
|
154 |
Jun 29 15:33:24 aemaeth slapcat: sql_select option missing |
155 |
Jun 29 15:33:24 aemaeth slapcat: auxpropfunc error no mechanism available |
156 |
Jun 29 15:33:24 aemaeth slapcat: _sasl_plugin_load failed on |
157 |
sasl_auxprop_plug_init for plugin: sql |
158 |
Jun 29 15:33:24 aemaeth slapcat: auxpropfunc error invalid parameter |
159 |
supplied |
160 |
Jun 29 15:33:24 aemaeth slapcat: _sasl_plugin_load failed on |
161 |
sasl_auxprop_plug_init for plugin: ldapdb |
162 |
|
163 |
However the plugins seem to be ok, according to pluginviewer: |
164 |
|
165 |
aemaeth ~ # pluginviewer -a |
166 |
Installed auxprop mechanisms are: |
167 |
ldapdb sasldb sql |
168 |
List of auxprop plugins follows |
169 |
Plugin "ldapdb" , API version: 4 |
170 |
supports store: yes |
171 |
|
172 |
Plugin "sasldb" , API version: 4 |
173 |
supports store: yes |
174 |
|
175 |
Plugin "sql" , API version: 4 |
176 |
supports store: yes |
177 |
|
178 |
saslauthd is running with the following config: |
179 |
aemaeth ~ # cat /etc/sasl2/saslauthd.conf | grep -v ^# | grep -v ^$ |
180 |
ldap_servers: ldap://localhost:389/ |
181 |
ldap_version: 3 |
182 |
ldap_auth_method: bind |
183 |
ldap_bind_dn: uid=admin,dc=secompower,dc=it |
184 |
ldap_bind_pw: secret |
185 |
ldap_search_base: dc=secompower,dc=it |
186 |
|
187 |
Please help me, as I'm starting to be quite frustrated. |
188 |
|
189 |
Thanks in advance |
190 |
Francesco Talamona |
191 |
|
192 |
|
193 |
-- |
194 |
Email.it, the professional e-mail, gratis per te: http://www.email.it/f |
195 |
|
196 |
Sponsor: |
197 |
Cerchi un hotel a Riccione, Rimini o Misano Adriatico ? Visita il sito |
198 |
rivieraparkhotels.it . Gli alberghi dei parchi divertimento |
199 |
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8008&d=20080629 |
200 |
|
201 |
|
202 |
-- |
203 |
gentoo-user@l.g.o mailing list |