LDAP+SASL

Fri Feb 20 22:39:13 UTC 2009

Norberto Bensa wrote:
> I just spotted a bug in what I said :-)
>
> Your second and forth rules will never match. It's pretty obvious now.
> Take a careful look at your 1st and 2nd rules, and then to your 3rd
> and 4th rule and you'll understand why.
>   

I commented out rule 2 and 4.  This is what I have now:

authz-regexp
  uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth
  cn=$1,ou=People,dc=nimbios,dc=org
#authz-regexp
# uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth
# cn=$1,dc=nimbios,dc=org
authz-regexp
  uid=([^,]*),cn=[^,]*,cn=auth
  cn=$1,ou=People,dc=nimbios,dc=org
#authz-regexp
# uid=([^,]*),cn=[^,]*,cn=auth
# cn=$1,dc=nimbios,dc=org

So the only one that should match is the one in ou=People.

> This is uid=admin at castor,cn=CRAM-MD5,cn=auth and then -from your
> rules- cn=admin at castor,ou=People,dc=nimbios,dc=org
>
> If you have no admin at castor in ou=People, it will not work. Also, if
> you store your secrets as SSHA (or some other hashed procedure)
> CRAM-MD5, DIGEST-MD5 will not work either.
>
> Now (from your logs), your Mac seems to try again with
> uid=admin,cn=CRAM-MD5,cn=auth (cn=admin,ou=People,dc=nimbios,dc=org)
> but your userPassword for that entry is hashed with SSHA. You need to
> change it to CLEARTEXT if you want CRAM/DIGEST.
>   

My current LDAP entry:

4 cn=admin,ou=People,dc=nimbios,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP administrator
userPassword: {CLEARTEXT}...<stuff>...
cn: admin

> Once you fix these problems, repeat your ldapsearch like this:
>
>   $ ldapsearch -U admin -Y CRAM-MD5 -W
>   

Output from linux host:
--------------------------------------------
# ldapsearch -H ldap://castor.nimbios.org -U admin -Y CRAM-MD5 -W
Enter LDAP Password:
SASL/CRAM-MD5 authentication started
SASL username: admin
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=nimbios,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# nimbios.org
dn: dc=nimbios,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: nimbios.org
dc: nimbios

# admin, nimbios.org
dn: cn=admin,dc=nimbios,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP administrator
cn: admin
userPassword:: <GOBBLEDYGOOK>

# People, nimbios.org
dn: ou=People,dc=nimbios,dc=org
objectClass: organizationalUnit
ou: People

# Groups, nimbios.org
dn: ou=Groups,dc=nimbios,dc=org
objectClass: organizationalUnit
ou: Groups

# admin, People, nimbios.org
dn: cn=admin,ou=People,dc=nimbios,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP administrator
userPassword:: <GOBBELDYGOOK>
cn: admin

# search result
search: 3
result: 0 Success

# numResponses: 6
# numEntries: 5
--------------------------------------------

I noticed that the passwords are strings of nonsense characters 
/without/ a preceeding {HASH-MEHOD} string.  They are not the 
{CLEARTEXT} entries that I entered with my editor.  I reloaded and 
double-checked, and cn=admin,ou=People,dc=nimbios,dc=org has a 
{CLEARTEXT} password according to my editor.

Syslog from ldapsearch on linux:
--------------------------------------------
Feb 20 17:31:05 castor slapd[32116]: slap_listener_activate(9): 
Feb 20 17:31:05 castor slapd[32116]: >>> slap_listener(ldap:///)
Feb 20 17:31:05 castor slapd[32116]: conn=3 fd=15 ACCEPT from 
IP=xx.xx.xx.xx:57053 (IP=0.0.0.0:389)
Feb 20 17:31:05 castor slapd[32116]: connection_get(15): got connid=3
Feb 20 17:31:05 castor slapd[32116]: connection_read(15): checking for 
input on id=3
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=0 do_bind
Feb 20 17:31:05 castor slapd[32116]: >>> dnPrettyNormal: <>
Feb 20 17:31:05 castor slapd[32116]: <<< dnPrettyNormal: <>, <>
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=0 BIND dn="" method=163
Feb 20 17:31:05 castor slapd[32116]: do_bind: dn () SASL mech CRAM-MD5
Feb 20 17:31:05 castor slapd[32116]: send_ldap_sasl: err=14 len=40
Feb 20 17:31:05 castor slapd[32116]: send_ldap_response: msgid=1 tag=97 
err=14
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=0 RESULT tag=97 err=14 
text=SASL(0): successful result: 
Feb 20 17:31:05 castor slapd[32116]: <== slap_sasl_bind: rc=14
Feb 20 17:31:05 castor slapd[32116]: connection_get(15): got connid=3
Feb 20 17:31:05 castor slapd[32116]: connection_read(15): checking for 
input on id=3
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=1 do_bind
Feb 20 17:31:05 castor slapd[32116]: >>> dnPrettyNormal: <>
Feb 20 17:31:05 castor slapd[32116]: <<< dnPrettyNormal: <>, <>
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=1 BIND dn="" method=163
Feb 20 17:31:05 castor slapd[32116]: do_bind: dn () SASL mech CRAM-MD5
Feb 20 17:31:05 castor slapd[32116]: slap_sasl_getdn: u:id converted to 
uid=admin,cn=CRAM-MD5,cn=auth
Feb 20 17:31:05 castor slapd[32116]: >>> dnNormalize: 
<uid=admin,cn=CRAM-MD5,cn=auth>
Feb 20 17:31:05 castor slapd[32116]: <<< dnNormalize: 
<uid=admin,cn=cram-md5,cn=auth>
Feb 20 17:31:05 castor slapd[32116]: ==>slap_sasl2dn: converting SASL 
name uid=admin,cn=cram-md5,cn=auth to a DN
Feb 20 17:31:05 castor slapd[32116]: slap_parseURI: parsing 
cn=admin,ou=People,dc=nimbios,dc=org
Feb 20 17:31:05 castor slapd[32116]: >>> dnNormalize: 
<cn=admin,ou=People,dc=nimbios,dc=org>
Feb 20 17:31:05 castor slapd[32116]: <<< dnNormalize: 
<cn=admin,ou=people,dc=nimbios,dc=org>
Feb 20 17:31:05 castor slapd[32116]: <==slap_sasl2dn: Converted SASL 
name to cn=admin,ou=people,dc=nimbios,dc=org
Feb 20 17:31:05 castor slapd[32116]: slap_sasl_getdn: dn:id converted to 
cn=admin,ou=people,dc=nimbios,dc=org
Feb 20 17:31:05 castor slapd[32116]: => hdb_search
Feb 20 17:31:05 castor slapd[32116]: 
bdb_dn2entry("cn=admin,ou=people,dc=nimbios,dc=org")
Feb 20 17:31:05 castor slapd[32116]: slap_ap_lookup: 
str2ad(cmusaslsecretCRAM-MD5): attribute type undefined
Feb 20 17:31:05 castor slapd[32116]: send_ldap_result: conn=3 op=1 p=3
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=1 BIND authcid="admin" 
authzid="admin"
Feb 20 17:31:05 castor slapd[32116]: SASL Authorize [conn=3]:  proxy 
authorization allowed authzDN=""
Feb 20 17:31:05 castor slapd[32116]: send_ldap_sasl: err=0 len=-1
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=1 BIND 
dn="cn=admin,ou=people,dc=nimbios,dc=org" mech=CRAM-MD5 sasl_ssf=0 ssf=0
Feb 20 17:31:05 castor slapd[32116]: do_bind: SASL/CRAM-MD5 bind: 
dn="cn=admin,ou=people,dc=nimbios,dc=org" sasl_ssf=0
Feb 20 17:31:05 castor slapd[32116]: send_ldap_response: msgid=2 tag=97 
err=0
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=1 RESULT tag=97 err=0 text=
Feb 20 17:31:05 castor slapd[32116]: <== slap_sasl_bind: rc=0
Feb 20 17:31:05 castor slapd[32116]: connection_get(15): got connid=3
Feb 20 17:31:05 castor slapd[32116]: connection_read(15): checking for 
input on id=3
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=2 do_search
Feb 20 17:31:05 castor slapd[32116]: >>> dnPrettyNormal: 
<dc=nimbios,dc=org>
Feb 20 17:31:05 castor slapd[32116]: <<< dnPrettyNormal: 
<dc=nimbios,dc=org>, <dc=nimbios,dc=org>
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=2 SRCH 
base="dc=nimbios,dc=org" scope=2 deref=0 filter="(objectClass=*)"
Feb 20 17:31:05 castor slapd[32116]: ==> limits_get: conn=3 op=2 
dn="cn=admin,ou=people,dc=nimbios,dc=org"
Feb 20 17:31:05 castor slapd[32116]: => hdb_search
Feb 20 17:31:05 castor slapd[32116]: bdb_dn2entry("dc=nimbios,dc=org")
Feb 20 17:31:05 castor slapd[32116]: search_candidates: 
base="dc=nimbios,dc=org" (0x00000001) scope=2
Feb 20 17:31:05 castor slapd[32116]: => hdb_dn2idl("dc=nimbios,dc=org")
Feb 20 17:31:05 castor slapd[32116]: => bdb_presence_candidates 
(objectClass)
Feb 20 17:31:05 castor slapd[32116]: bdb_search_candidates: id=-1 
first=1 last=6
Feb 20 17:31:05 castor slapd[32116]: => send_search_entry: conn 3 
dn="dc=nimbios,dc=org"
Feb 20 17:31:05 castor slapd[32116]: <= send_search_entry: conn 3 exit.
Feb 20 17:31:05 castor slapd[32116]: => send_search_entry: conn 3 
dn="cn=admin,dc=nimbios,dc=org"
Feb 20 17:31:05 castor slapd[32116]: <= send_search_entry: conn 3 exit.
Feb 20 17:31:05 castor slapd[32116]: => send_search_entry: conn 3 
dn="ou=People,dc=nimbios,dc=org"
Feb 20 17:31:05 castor slapd[32116]: <= send_search_entry: conn 3 exit.
Feb 20 17:31:05 castor slapd[32116]: => send_search_entry: conn 3 
dn="ou=Groups,dc=nimbios,dc=org"
Feb 20 17:31:05 castor slapd[32116]: <= send_search_entry: conn 3 exit.
Feb 20 17:31:05 castor slapd[32116]: => send_search_entry: conn 3 
dn="cn=admin,ou=People,dc=nimbios,dc=org"
Feb 20 17:31:05 castor slapd[32116]: <= send_search_entry: conn 3 exit.
Feb 20 17:31:05 castor slapd[32116]: send_ldap_result: conn=3 op=2 p=3
Feb 20 17:31:05 castor slapd[32116]: send_ldap_response: msgid=3 tag=101 
err=0
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=2 SEARCH RESULT tag=101 
err=0 nentries=5 text=
Feb 20 17:31:05 castor slapd[32116]: connection_get(15): got connid=3
Feb 20 17:31:05 castor slapd[32116]: connection_read(15): checking for 
input on id=3
Feb 20 17:31:05 castor slapd[32116]: ber_get_next on fd 15 failed 
errno=0 (Success)
Feb 20 17:31:05 castor slapd[32116]: connection_closing: readying conn=3 
sd=15 for close
Feb 20 17:31:05 castor slapd[32116]: connection_close: deferring conn=3 
sd=15
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=3 do_unbind
Feb 20 17:31:05 castor slapd[32116]: conn=3 op=3 UNBIND
Feb 20 17:31:05 castor slapd[32116]: connection_resched: attempting 
closing conn=3 sd=15
Feb 20 17:31:05 castor slapd[32116]: connection_close: deferring conn=3 
sd=15
Feb 20 17:31:05 castor slapd[32116]: connection_resched: attempting 
closing conn=3 sd=15
Feb 20 17:31:05 castor slapd[32116]: connection_close: conn=3 sd=15
Feb 20 17:31:05 castor slapd[32116]: conn=3 fd=15 closed
--------------------------------------------

Ouptut from Mac host:
--------------------------------------------
$ ldapsearch -H ldap://castor.nimbios.org -U admin -Y CRAM-MD5 -W
Enter LDAP Password:
SASL/CRAM-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: SASL(-13): user not found: no secret in database
--------------------------------------------

Syslog from ldapsearch on Mac:
--------------------------------------------
Feb 20 17:31:39 castor slapd[32116]: slap_listener_activate(9): 
Feb 20 17:31:39 castor slapd[32116]: >>> slap_listener(ldap:///)
Feb 20 17:31:39 castor slapd[32116]: conn=4 fd=15 ACCEPT from 
IP=xx.xx.xx.xx:50557 (IP=0.0.0.0:389)
Feb 20 17:31:39 castor slapd[32116]: connection_get(15): got connid=4
Feb 20 17:31:39 castor slapd[32116]: connection_read(15): checking for 
input on id=4
Feb 20 17:31:39 castor slapd[32116]: conn=4 op=0 do_bind
Feb 20 17:31:39 castor slapd[32116]: >>> dnPrettyNormal: <>
Feb 20 17:31:39 castor slapd[32116]: <<< dnPrettyNormal: <>, <>
Feb 20 17:31:39 castor slapd[32116]: conn=4 op=0 BIND dn="" method=163
Feb 20 17:31:39 castor slapd[32116]: do_bind: dn () SASL mech CRAM-MD5
Feb 20 17:31:39 castor slapd[32116]: send_ldap_sasl: err=14 len=39
Feb 20 17:31:39 castor slapd[32116]: send_ldap_response: msgid=1 tag=97 
err=14
Feb 20 17:31:39 castor slapd[32116]: conn=4 op=0 RESULT tag=97 err=14 
text=SASL(0): successful result: 
Feb 20 17:31:39 castor slapd[32116]: <== slap_sasl_bind: rc=14
Feb 20 17:31:39 castor slapd[32116]: connection_get(15): got connid=4
Feb 20 17:31:39 castor slapd[32116]: connection_read(15): checking for 
input on id=4
Feb 20 17:31:39 castor slapd[32116]: conn=4 op=1 do_bind
Feb 20 17:31:39 castor slapd[32116]: >>> dnPrettyNormal: <>
Feb 20 17:31:39 castor slapd[32116]: <<< dnPrettyNormal: <>, <>
Feb 20 17:31:39 castor slapd[32116]: conn=4 op=1 BIND dn="" method=163
Feb 20 17:31:39 castor slapd[32116]: do_bind: dn () SASL mech CRAM-MD5
Feb 20 17:31:39 castor slapd[32116]: slap_sasl_getdn: u:id converted to 
uid=admin,cn=CRAM-MD5,cn=auth
Feb 20 17:31:39 castor slapd[32116]: >>> dnNormalize: 
<uid=admin,cn=CRAM-MD5,cn=auth>
Feb 20 17:31:39 castor slapd[32116]: <<< dnNormalize: 
<uid=admin,cn=cram-md5,cn=auth>
Feb 20 17:31:39 castor slapd[32116]: ==>slap_sasl2dn: converting SASL 
name uid=admin,cn=cram-md5,cn=auth to a DN
Feb 20 17:31:39 castor slapd[32116]: slap_parseURI: parsing 
cn=admin,ou=People,dc=nimbios,dc=org
Feb 20 17:31:39 castor slapd[32116]: >>> dnNormalize: 
<cn=admin,ou=People,dc=nimbios,dc=org>
Feb 20 17:31:39 castor slapd[32116]: <<< dnNormalize: 
<cn=admin,ou=people,dc=nimbios,dc=org>
Feb 20 17:31:39 castor slapd[32116]: <==slap_sasl2dn: Converted SASL 
name to cn=admin,ou=people,dc=nimbios,dc=org
Feb 20 17:31:39 castor slapd[32116]: slap_sasl_getdn: dn:id converted to 
cn=admin,ou=people,dc=nimbios,dc=org
Feb 20 17:31:39 castor slapd[32116]: => hdb_search
Feb 20 17:31:39 castor slapd[32116]: 
bdb_dn2entry("cn=admin,ou=people,dc=nimbios,dc=org")
Feb 20 17:31:39 castor slapd[32116]: => 
hdb_dn2id("cn=admin,ou=people,dc=nimbios,dc=org")
Feb 20 17:31:39 castor slapd[32116]: <= hdb_dn2id: get failed: 
DB_NOTFOUND: No matching key/data pair found (-30990)
Feb 20 17:31:39 castor slapd[32116]: send_ldap_result: conn=4 op=1 p=3
Feb 20 17:31:39 castor slapd[32116]: SASL [conn=4] Failure: no secret in 
database
Feb 20 17:31:39 castor slapd[32116]: send_ldap_result: conn=4 op=1 p=3
Feb 20 17:31:39 castor slapd[32116]: send_ldap_response: msgid=2 tag=97 
err=49
Feb 20 17:31:39 castor slapd[32116]: conn=4 op=1 RESULT tag=97 err=49 
text=SASL(-13): user not found: no secret in database
Feb 20 17:31:39 castor slapd[32116]: <== slap_sasl_bind: rc=49
Feb 20 17:31:39 castor slapd[32116]: connection_get(15): got connid=4
Feb 20 17:31:39 castor slapd[32116]: connection_read(15): checking for 
input on id=4
Feb 20 17:31:39 castor slapd[32116]: ber_get_next on fd 15 failed 
errno=0 (Success)
Feb 20 17:31:39 castor slapd[32116]: connection_closing: readying conn=4 
sd=15 for close
Feb 20 17:31:39 castor slapd[32116]: connection_close: deferring conn=4 
sd=15
Feb 20 17:31:39 castor slapd[32116]: connection_resched: attempting 
closing conn=4 sd=15
Feb 20 17:31:39 castor slapd[32116]: connection_close: conn=4 sd=15
Feb 20 17:31:39 castor slapd[32116]: conn=4 fd=15 closed (connection lost)
--------------------------------------------

I look at the syslog output and my eyes cross...  I'm going to study it 
further.

Correct me if I'm wrong, but ou=People and ou=people are the same, 
right?  There is no case sensitivity, correct?

Michael