Re: SASL + LDAP

Giovanni Malfarà <giovanni.malfara@xxxxxxxxx> · Fri, 16 Apr 2010 22:45:51 +0200

On 04/15/2010 04:42 PM, Dan White wrote:
> On 15/04/10 15:33 +0200, Giovanni Malfarà wrote:
>> In slapd (slapd -d -1) debug messages I get:
>>
>> SASL [conn=7] Debug: DIGEST-MD5 server step 2
>> slap_sasl_getdn: u:id converted to
>> uid=test@xxxxxxxxxxxx,cn=DIGEST-MD5,cn=auth
>>>>> dnNormalize: <uid=test@xxxxxxxxxxxx,cn=DIGEST-MD5,cn=auth>
>> <<< dnNormalize: <uid=test@xxxxxxxxxxxx,cn=digest-md5,cn=auth>
>> ==>slap_sasl2dn: converting SASL name
>> uid=test@xxxxxxxxxxxx,cn=digest-md5,cn=auth to a DN
>> slap_authz_regexp: converting SASL name
>> uid=test@xxxxxxxxxxxx,cn=digest-md5,cn=auth
>> <==slap_sasl2dn: Converted SASL name to <nothing>
>> SASL [conn=7] Failure: no secret in database
>
> I have a similar configuration to your's except that I use the
> authz-regexp
> and authz-policy statements instead of what you have. I'm using version
> 2.4.15:
>
> authz-regexp
>   "uid=([^,]+),cn=([^,]+),cn=auth"
>  
> ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended)))
>
>
> authz-policy to
>
> (btcAltUID and btcAccountStatus are non-standard attributes)
>
> This looks alarming:
>
> access to * attrs=userPassword by self write by * write
>
> I have (slightly modified):
>
> access to
> attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key
>
>         by anonymous auth
>         by self write
>         by * none
>
Nothing happens using authz-regexp and auth-policy and modifying the
access rule.

What else can I check?

Thank you!

-- 
Giovanni Malfarà

Per favore non mandatemi allegati in Word o PowerPoint.
Si veda http://www.gnu.org/philosophy/no-word-attachments.it.html 

"Ciò che conta in guerra non sono gli uomini, è l'uomo cioè il soldato che sa battersi fino in fondo, difendendo un pezzo di terra o, contro ogni logica, un brandello di idea". (Napoleone Bonaparte).