Gentoo Archives: gentoo-user

From: ti.liame@×××××.it
To: gentoo-user@l.g.o
Subject: [gentoo-user] SASL LDAP
Date: Sun, 29 Jun 2008 14:06:07
Message-Id: 00f53bd2280bee6206b04bd32e8965ca@213.140.22.71
I have an LDAP openldap server I'm trying to use for alfresco users
authentication, the set up was ok, then I recompiled openldap adding sasl
flag

For some reason the new setup points to an empty user database, where I
cannot load user data.

Looking for the reason why saslauth was looking in /etc/sasl2/sasl2db
instead of using Berkeley DB in /var/lib/openldap-data where ldapadd
successfully stored user data from LDIF file, I discovered that cyrus-sasl,
warned me about the database choice:
 
# You have both the 'gdbm' and 'berkdb' USE flags enabled.
# Will default to GNU DB as your SASLdb database backend.
# If you want to build with BerkeleyDB support, hit Control-C now,
# change your USE flags -gdbm and emerge again.

So I added this line in /etc/portage/package.use
dev-libs/cyrus-sasl	-gdbm

and reinstalled cyrus-sasl.

The switch to SASL seemed to be ok on the LDAP side:

aemaeth / # ldapsearch -x -H ldap:// -b '' -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: SRP

aemaeth / # ldapsearch -x -H ldapi:// -b '' -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: SRP
supportedSASLMechanisms: EXTERNAL

But then I discovered that SASL was still looking in its database, this time
the error log shows that the database is no more in sasldb format (these are
the messages generated by “ldapwhoami”):

Jun 29 15:30:50 aemaeth slapd[29062]: >>> slap_listener(ldap://) 
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13) 
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13): got connid=19 
Jun 29 15:30:50 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19 
Jun 29 15:30:50 aemaeth slapd[29062]: do_search 
Jun 29 15:30:50 aemaeth slapd[29062]: >>> dnPrettyNormal: <> 
Jun 29 15:30:50 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <> 
Jun 29 15:30:50 aemaeth slapd[29062]: SRCH "" 0 0 
Jun 29 15:30:50 aemaeth slapd[29062]:     0 0 0 
Jun 29 15:30:50 aemaeth slapd[29062]:     filter: (objectClass=*) 
Jun 29 15:30:50 aemaeth slapd[29062]:     attrs: 
Jun 29 15:30:50 aemaeth slapd[29062]:  supportedSASLMechanisms 
Jun 29 15:30:50 aemaeth slapd[29062]: 
Jun 29 15:30:50 aemaeth slapd[29062]: => send_search_entry: conn 19 dn="" 
Jun 29 15:30:50 aemaeth slapd[29062]: <= send_search_entry: conn 19 exit. 
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_result: conn=19 op=0 p=3 
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_result: err=0 matched=""
text="" 
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_response: msgid=1 tag=101
err=0 
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13) 
Jun 29 15:30:50 aemaeth slapd[29062]: connection_get(13): got connid=19 
Jun 29 15:30:50 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19 
Jun 29 15:30:50 aemaeth slapd[29062]: do_bind 
Jun 29 15:30:50 aemaeth slapd[29062]: >>> dnPrettyNormal: <> 
Jun 29 15:30:50 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <> 
Jun 29 15:30:50 aemaeth slapd[29062]: do_sasl_bind: dn () mech DIGEST-MD5 
Jun 29 15:30:50 aemaeth slapd[29062]: ==> sasl_bind: dn="" mech=DIGEST-MD5
datalen=0 
Jun 29 15:30:50 aemaeth slapd[29062]: SASL [conn=19] Debug: DIGEST-MD5
server step 1 
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_sasl: err=14 len=191 
Jun 29 15:30:50 aemaeth slapd[29062]: send_ldap_response: msgid=2 tag=97
err=14 
Jun 29 15:30:50 aemaeth slapd[29062]: <== slap_sasl_bind: rc=14 
Jun 29 15:30:50 aemaeth ldapwhoami: DIGEST-MD5 client step 2 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13) 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13): got connid=19 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19 
Jun 29 15:30:52 aemaeth slapd[29062]: do_bind 
Jun 29 15:30:52 aemaeth slapd[29062]: >>> dnPrettyNormal: <> 
Jun 29 15:30:52 aemaeth slapd[29062]: <<< dnPrettyNormal: <>, <> 
Jun 29 15:30:52 aemaeth slapd[29062]: do_sasl_bind: dn () mech DIGEST-MD5 
Jun 29 15:30:52 aemaeth slapd[29062]: ==> sasl_bind: dn="" mech=<continuing>
datalen=281 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Debug: DIGEST-MD5
server step 2 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]:
authcid="root" 
Jun 29 15:30:52 aemaeth ldapwhoami: DIGEST-MD5 client step 2 
Jun 29 15:30:52 aemaeth slapd[29062]: slap_sasl_getdn: conn 19 id=root
[len=4] 
Jun 29 15:30:52 aemaeth slapd[29062]: slap_sasl_getdn: u:id converted to
uid=root,cn=DIGEST-MD5,cn=auth 
Jun 29 15:30:52 aemaeth slapd[29062]: >>> dnNormalize:
<uid=root,cn=DIGEST-MD5,cn=auth> 
Jun 29 15:30:52 aemaeth slapd[29062]: <<< dnNormalize:
<uid=root,cn=digest-md5,cn=auth> 
Jun 29 15:30:52 aemaeth slapd[29062]: ==>slap_sasl2dn: converting SASL name
uid=root,cn=digest-md5,cn=auth to a DN 
Jun 29 15:30:52 aemaeth slapd[29062]: slap_authz_regexp: converting SASL
name uid=root,cn=digest-md5,cn=auth 
Jun 29 15:30:52 aemaeth slapd[29062]: <==slap_sasl2dn: Converted SASL name
to <nothing> 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]:
slapAuthcDN="uid=root,cn=digest-md5,cn=auth" 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open
Berkeley db /etc/sasl2/sasldb2: Invalid argument 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open
Berkeley db /etc/sasl2/sasldb2: Invalid argument 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Error: unable to open
Berkeley db /etc/sasl2/sasldb2: Invalid argument 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL Canonicalize [conn=19]:
authzid="root" 
Jun 29 15:30:52 aemaeth slapd[29062]: SASL [conn=19] Failure: no secret in
database 
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_result: conn=19 op=2 p=3 
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_result: err=49 matched=""
text="SASL(-13): user not found: no secret in database" 
Jun 29 15:30:52 aemaeth slapd[29062]: send_ldap_response: msgid=3 tag=97
err=49 
Jun 29 15:30:52 aemaeth slapd[29062]: <== slap_sasl_bind: rc=49 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13) 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_get(13): got connid=19 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_read(13): checking for
input on id=19 
Jun 29 15:30:52 aemaeth slapd[29062]: ber_get_next on fd 13 failed errno=0
(Success) 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_closing: readying conn=19
sd=13 for close 
Jun 29 15:30:52 aemaeth slapd[29062]: connection_close: conn=19 sd=-1

“/etc/sasl2/sasl2db” is hardcoded into the library itself:
aemaeth ~ # strings /usr/lib64/sasl2/libsasldb.so.2.0.22 | grep sasldb2
/etc/sasl2/sasldb2

Moreover if I run “slapcat” I can see all LDAP data, but in the error log
these lines appear:

Jun 29 15:33:24 aemaeth slapcat: sql_select option missing 
Jun 29 15:33:24 aemaeth slapcat: auxpropfunc error no mechanism available 
Jun 29 15:33:24 aemaeth slapcat: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: sql 
Jun 29 15:33:24 aemaeth slapcat: auxpropfunc error invalid parameter
supplied 
Jun 29 15:33:24 aemaeth slapcat: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb 

However the plugins seem to be ok, according to pluginviewer:

aemaeth ~ # pluginviewer -a
Installed auxprop mechanisms are:
ldapdb sasldb sql
List of auxprop plugins follows
Plugin "ldapdb" , 	API version: 4
	supports store: yes

Plugin "sasldb" , 	API version: 4
	supports store: yes

Plugin "sql" , 	API version: 4
	supports store: yes

saslauthd is running with the following config:
aemaeth ~ # cat /etc/sasl2/saslauthd.conf | grep -v ^# | grep -v ^$
ldap_servers: ldap://localhost:389/
ldap_version: 3
ldap_auth_method: bind
ldap_bind_dn: uid=admin,dc=secompower,dc=it
ldap_bind_pw: secret
ldap_search_base: dc=secompower,dc=it

Please help me, as I'm starting to be quite frustrated.

Thanks in advance
    Francesco Talamona

 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 Cerchi un hotel a Riccione, Rimini o Misano Adriatico ? Visita il sito
rivieraparkhotels.it . Gli alberghi dei parchi divertimento
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8008&d=20080629


-- 
gentoo-user@l.g.o mailing list