openldap-technical
[Arriba] [Todas las Listas]

Re: Error conseguido mientras habilitando SASL

To: Gaurav Gugnani <gugnanigaurav@xxxxxxxxx>
Subject: Re: Error conseguido mientras habilitando SASL
From: Dan White <dwhite@xxxxxxx>
Date: Wed, 8 Feb 2012 10:02:09 -0600
Cc: openldap-technical@xxxxxxxxxxxx, Raffael Sahli <public@xxxxxxxxxxxxxxxx>, anax@xxxxxxxx
Delivery-date: Wed, 08 Feb 2012 11:17:03 -0500
Envelope-to: traductor@xxxxxxxxxxx
In-reply-to: <CANnGQdiyySXTvf99+dMcb0WAjgKjxb_AR6tpH78swguwv7QHXg@mail.gmail.com>
List-archive: <http://www.openldap.org/lists/openldap-technical>
List-help: <mailto:openldap-technical-request@openldap.org?subject=help>
List-id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-post: <mailto:openldap-technical@openldap.org>
List-subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>, <mailto:openldap-technical-request@openldap.org?subject=subscribe>
List-unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>, <mailto:openldap-technical-request@openldap.org?subject=unsubscribe>
References: <CANnGQdj1wbTwvMhmKBQaVYzJorFZSdwtiut2hRCWyXN52bxpqQ@mail.gmail.com> <CANnGQdiFnDjxVSSWX5HXmg0rVb3L0FmkS-5Fm6CA0V2jeAYzDw@mail.gmail.com> <CANnGQdihsjwELaKJAofYUDDvnTzdb7T1pygy3GANz6_PzieZnA@mail.gmail.com> <20120207150730.GB4769@dan.olp.net> <CANnGQdiyySXTvf99+dMcb0WAjgKjxb_AR6tpH78swguwv7QHXg@mail.gmail.com>
Sender: openldap-technical-bounces@xxxxxxxxxxxx
User-agent: Mutt/1.5.21 (2010-09-15)
En 02/08/12 16:22 +0530, *Gaurav *Gugnani escribió:
Hola,

*Thks para responder.

Ahora, *i estoy procediendo con seguir pasos pero todavía consiguiendo un error:

Pasos:
1> gato /*usr/*lib64/*sasl2/*slapd.*conf
# *SASL Configuración
*pwcheck_método: *auxprop
*auxprop_*plugin: *slapd
*mech_lista: SENCILLO *LOGIN CRAM-MD5 *DIGEST-MD5

2> gato /*etc/*openladp/*slapd.*conf
Contraseña-*hash#unknown{^*CLEARTEXT}
*sasl-*auxprops *slapd
*authz-*regexp *uid=(.*),*cn=*DIGEST-MD5,*cn=*auth *uid=$1,*ou=Sistema,*o=*xyz

*Nota:* el ACL es dado correctamente.

3> Entonces *i'*m intentando añadir usuario: el gato añade_*sasl_*accnt21.*ldif
*dn: *uid=*sasluser21,*ou=Sistema,*o=*xyz
*uid: *sasluser21
*ou: descripción
de Sistema: cuenta Especial para *SASL Probando
*userPassword: *sasluser21
*objectClass: cuenta
*objectClass: *simpleSecurityObject

*ldapadd -*x -*D *cn=Director,*o=*xyz -*W -*f añadir_*sasl_*accnt21.*ldif

5> Ahora, cuándo *i  *ldapsearch:
*ldapsearch -*Y *DIGEST-MD5 -*U *uid=*sasluser21 -*b
'*uid=*sasluser12,*ou=Sistema,*o=*xyz'

tendrías que ser proporcionar justo el *username con el -*U opción. Recomiendo
utilizar *ldapwhoami para probar vuestro *authz-*regexp reglas:

*ldapwhoami -*Y *digest-*md5 -*U *sasluser21

*SASL/*DIGEST-MD5 *authentication empezado
Complacer introducir vuestra contraseña:
*ldap_*sasl_interactivo_ligar_*s: Nulo *credentials (49)
       adicional *info: *SASL(-13): el usuario no encontrado: ningún secreto en *database

En *log archivo *i conseguía alguna pista: aquello su intentando utilizar modificar *dn.

Tiene una mirada *plz:
*slapd[14125]: >>> *dnPrettyNormal: <>
*slapd[14125]: <<< *dnPrettyNormal: <>, <>
*slapd[14125]: *conn=1228 *op=1 LIGA *dn="" método=163
*slapd[14125]: liga: *dn () *SASL *mech *DIGEST-MD5
*slapd[14125]: *SASL [*conn=1228] Depura: *DIGEST-MD5 *server paso 2
*slapd[14125]: bofetada_*sasl_*getdn: *u:*id convertido a *uid=*uid\3*Dsasluser21,*cn=*DIGEST-MD5,*cn=*auth

*slapd[14125]: >>> *dnNormalize: <*uid=*uid\3*Dsasluser21,*cn=*DIGEST-MD5,*cn=*auth>
*slapd[14125]: <<< *dnNormalize: <*uid=*uid\3*Dsasluser21,*cn=*digest-*md5,*cn=*auth>
*slapd[14125]: ==>bofetada_*sasl2*dn: convirtiendo *SASL nombre
*uid=*uid\3*Dsasluser21,*cn=*digest-*md5,*cn=*auth a un DN
*slapd[14125]: ==> *rewrite_el contexto_aplica [profundidad=1]
cadena='*uid=*uid\3*Dsasluser21,*cn=*digest-*md5,*cn=*auth'
*slapd[14125]: ==> *rewrite_la regla_aplica
regla='*uid=([^,]*),*cn=*DIGEST-MD5,*cn=*auth'
cadena='*uid=*uid\3*Dsasluser21,*cn=*digest-*md5,*cn=*auth' [1 pase(*es)]
*slapd[14125]: ==> *rewrite_el contexto_aplica [profundidad=1]
*res#num{^0,'*uid=*uid\3*Dsasluser21,*ou=Sistema,*o=*xyz'}
*slapd[14125]: bofetada_*parseURI: *parsing *uid=*uid\3*Dsasluser21,*ou=Sistema,*o=*xyz
*slapd[14125]: >>> *dnNormalize: <*uid=*uid\3*Dsasluser21,*ou=Sistema,*o=*xyz>
*slapd[14125]: <<< *dnNormalize: <*uid=*uid\3*Dsasluser21,*ou=sistema,*o=*xyz>
*slapd[14125]: <==bofetada_*sasl2*dn: Convertido *SASL nombre a *uid=*uid\3*Dsasluser21,*ou=sistema,*o=*xyz

*slapd[14125]: bofetada_*sasl_*getdn: *dn:*id convertido a *uid=*uid\3*Dsasluser21,*ou=sistema,*o=*xyz

*slapd[14125]: => *bdb_búsqueda
*slapd[14125]: *bdb_*dn2entrada("*uid=*uid\3*Dsasluser21,*ou=sistema,*o=*xyz")
*slapd[14125]: => *bdb_*dn2*id("*uid=*uid\3*Dsasluser21,*ou=sistema,*o=*xyz")

Aviso el *uid=*uid\3*Dsasluser21... Aquí, en vez del deseado
*uid=*sasluser21...

*slapd[14125]: <= *bdb_*dn2*id: consigue fallado: DB_*NOTFOUND: Ningún emparejando par/de dato
clave encontrado (-30988)
*slapd[14125]: => el acceso_dejó: revela acceso a *ou=Sistema,*o=*xyz ""
"la entrada" pidió
*slapd[14125]: => *dn: [2] *o=*xyz
*slapd[14125]: => *dn: [3] *ou=*subscribers,*o=*xyz
*slapd[14125]: => *acl_consigue: [4] *attr entrada
*slapd[14125]: => *acl_máscara: acceso a entrada "*ou=Sistema,*o=*xyz", *attr "la entrada"
pidió
*slapd[14125]: => *acl_máscara: a todos los  valores por "", (=0)
*slapd[14125]: <= control un_*dn_*pat: *self
*slapd[14125]: <= control un_*dn_*pat: *uid=*replicator,*ou=sistema,*o=*xyz
*slapd[14125]: <= control un_*dn_*pat: *uid=*sasluser21,*ou=sistema,*o=*xyz
*slapd[14125]: <= *acl_máscara: no más <quién> cláusulas, regresando =0 (parón)
*slapd[14125]: => acceso_de bofetada_dejó: revela el acceso negado por =0

Te podría necesitar un más *permissive (por anónimo *auth) ACL aquí, para *dn.Base="*ou=Sistema,*o=*xyz" y *attrs=entrada "".

Ve *slapd.Acceso(5).

*slapd[14125]: => el acceso_dejó: no más reglas
*slapd[14125]: envía_*ldap_resultado: *conn=1228 *op=1 *p=3
*slapd[14125]: *SASL [*conn=1228] Fracaso: ningún secreto en *database
*slapd[14125]: envía_*ldap_resultado: *conn=1228 *op=1 *p=3

--
Blanco de Dan


On 02/08/12 16:22 +0530, Gaurav Gugnani wrote:
Hello,

Thks for replying.

Now, i am proceeding with following steps but still getting an error:

Steps:
1> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

2> cat /etc/openladp/slapd.conf
password-hash  {CLEARTEXT}
sasl-auxprops slapd
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz

*Note:* ACL are given properly.

3> Then i'm trying to add user: cat add_sasl_accnt21.ldif
dn: uid=sasluser21,ou=System,o=xyz
uid: sasluser21
ou: System
description: Special account for SASL Testing
userPassword: sasluser21
objectClass: account
objectClass: simpleSecurityObject

ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif

5> Now, when i do ldapsearch:
ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b
'uid=sasluser12,ou=System,o=xyz'

You should be providing just the username with the -U option. I recommend
using ldapwhoami to test your authz-regexp rules:

ldapwhoami -Y digest-md5 -U sasluser21

SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
       additional info: SASL(-13): user not found: no secret in database

In log file i got some clue: that its trying to use modify dn.

Have a look plz:
slapd[14125]: >>> dnPrettyNormal: <>
slapd[14125]: <<< dnPrettyNormal: <>, <>
slapd[14125]: conn=1228 op=1 BIND dn="" method=163
slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5
slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2
slapd[14125]: slap_sasl_getdn: u:id converted to
uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth
slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth>
slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth>
slapd[14125]: ==>slap_sasl2dn: converting SASL name
uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN
slapd[14125]: ==> rewrite_context_apply [depth=1]
string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth'
slapd[14125]: ==> rewrite_rule_apply
rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth'
string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)]
slapd[14125]: ==> rewrite_context_apply [depth=1]
res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'}
slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz
slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz>
slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz>
slapd[14125]: <==slap_sasl2dn: Converted SASL name to
uid=uid\3Dsasluser21,ou=system,o=xyz
slapd[14125]: slap_sasl_getdn: dn:id converted to
uid=uid\3Dsasluser21,ou=system,o=xyz
slapd[14125]: => bdb_search
slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz")
slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz")

Notice the uid=uid\3Dsasluser21... here, instead of the desired
uid=sasluser21...

slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
pair found (-30988)
slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz"
"entry" requested
slapd[14125]: => dn: [2] o=xyz
slapd[14125]: => dn: [3] ou=subscribers,o=xyz
slapd[14125]: => acl_get: [4] attr entry
slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry"
requested
slapd[14125]: => acl_mask: to all values by "", (=0)
slapd[14125]: <= check a_dn_pat: self
slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop)
slapd[14125]: => slap_access_allowed: disclose access denied by =0

You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".

See slapd.access(5).

slapd[14125]: => access_allowed: no more rules
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
slapd[14125]: SASL [conn=1228] Failure: no secret in database
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3

--
Dan White


<Anterior por Tema] Tema Actual [Siguiente por Tema>