LDAP+SASL

Michael Peek peek at tiem.utk.edu
Thu Feb 19 22:49:25 UTC 2009


Norberto Bensa wrote:
> On Thu, Feb 19, 2009 at 7:26 PM, Michael Peek <peek at tiem.utk.edu> wrote:
>   
>> sasl-regexp            uid=(.*),cn=.*,cn=auth
>> uid=$1,ou=People,dc=nimbios,dc=org
>>     
>
> You have at least two problems. The first one is sasl-regexp, AFAIK it
> should be authz-regexp. The second problem is ".*" will match
> everything and will not work as you expect. You need to tell the
> regexp when to stop:
>
> authz-regexp
>     uid=([^,]*),cn=[^,]*,cn=auth
>     uid=$1,ou=People,dc=nimbios,d=org
>
> Also, remember to add "authz-policy to" too.
>
> If it continues to fail, increase loglevel in slapd.conf
>
>
> Regards,
> Norberto
>
>   

Thanks Norberto.

I've removed the sasl-regexp and added the following:

authz-regexp      uid=(.*),cn=[^,]*,cn=auth 
uid=$1,ou=People,dc=nimbios,dc=org
authz-policy      to

I also set the loglevel to stats.

On the linux host, I can type the following and get LDIF entries back:

ldapsearch -U admin at realm -H 'ldap://ldap.host.org/' -b 
"dc=nimbios,dc=org" '(objectClass=*)'

But the mac still fails to bind.  I'm telling the mac to bind with 
cn=admin,dc=nimbios,dc=org, and giving it the password for the directory 
admin.  Here's the output from slapd:

slapd[19182]: conn=0 fd=15 ACCEPT from IP=xxx.xxx.xxx.xxx:49533 
(IP=0.0.0.0:389)
slapd[19182]: conn=1 fd=16 ACCEPT from IP=xxx.xxx.xxx.xxx:49534 
(IP=0.0.0.0:389)
slapd[19182]: conn=1 op=0 SRCH base="" scope=0 deref=0 
filter="(objectClass=*)"
slapd[19182]: conn=1 op=0 SRCH attr=supportedSASLMechanisms 
namingContexts dnsHostName krbName
slapd[19182]: conn=1 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[19182]: conn=0 fd=15 closed (connection lost)
slapd[19182]: conn=1 op=1 SRCH base="" scope=0 deref=0 
filter="(objectClass=*)"
slapd[19182]: conn=1 op=1 SRCH attr=subschemasubentry
slapd[19182]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[19182]: conn=1 op=2 SRCH base="cn=Subschema" scope=0 deref=0 
filter="(objectClass=subschema)"
slapd[19182]: conn=1 op=2 SRCH attr=objectclasses
slapd[19182]: conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[19182]: conn=1 op=3 SRCH base="dc=nimbios,dc=org" scope=2 deref=0 
filter="(&(objectClass=organizationalUnit)(ou=macosxodconfig))"
slapd[19182]: conn=1 op=3 SRCH attr=description
slapd[19182]: <= bdb_equality_candidates: (ou) not indexed
slapd[19182]: conn=1 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[19182]: conn=1 op=4 SRCH base="" scope=0 deref=0 
filter="(objectClass=*)"
slapd[19182]: conn=1 op=4 SRCH attr=altserver
slapd[19182]: conn=1 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[19182]: conn=2 fd=17 ACCEPT from IP=xxx.xxx.xxx.xxx:49535 
(IP=0.0.0.0:389)
slapd[19182]: conn=2 op=0 SRCH base="" scope=0 deref=0 
filter="(objectClass=*)"
slapd[19182]: conn=2 op=0 SRCH attr=supportedSASLMechanisms 
namingContexts dnsHostName krbName
slapd[19182]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[19182]: conn=2 op=1 BIND dn="" method=163
slapd[19182]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful 
result: security flags do not match required
slapd[19182]: conn=2 op=2 BIND dn="" method=163
slapd[19182]: SASL [conn=2] Failure: no secret in database
slapd[19182]: conn=2 op=2 RESULT tag=97 err=49 text=SASL(-13): user not 
found: no secret in database
slapd[19182]: conn=2 op=3 BIND dn="cn=admin,dc=nimbios,dc=org" method=128
slapd[19182]: conn=2 op=3 BIND dn="cn=admin,dc=nimbios,dc=org" 
mech=SIMPLE ssf=0
slapd[19182]: conn=2 op=3 RESULT tag=97 err=0 text=
slapd[19182]: conn=1 op=5 UNBIND
slapd[19182]: conn=2 op=4 SRCH base="dc=nimbios,dc=org" scope=2 deref=0 
filter="(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))" 

slapd[19182]: conn=1 fd=16 closed
slapd[19182]: conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[19182]: conn=2 op=5 UNBIND
slapd[19182]: conn=2 fd=17 closed
slapd[19182]: conn=3 fd=16 ACCEPT from IP=xxx.xxx.xxx.xxx:59419 
(IP=0.0.0.0:389)
slapd[19182]: conn=3 op=0 BIND dn="cn=admin,dc=nimbios,dc=org" method=128
slapd[19182]: conn=3 op=0 BIND dn="cn=admin,dc=nimbios,dc=org" 
mech=SIMPLE ssf=0
slapd[19182]: conn=3 op=0 RESULT tag=97 err=0 text=
slapd[19182]: conn=3 op=1 SRCH base="dc=nimbios,dc=org" scope=2 deref=0 
filter="(objectClass=*)"
slapd[19182]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[19182]: conn=3 fd=16 closed (connection lost)

Any and all help welcomed.

Michael





More information about the ubuntu-users mailing list