[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL problems
Hi,
I'm trying to debug some SASL problems I'm having with OpenLDAP 2.0.22
on Linux.
For example, in the conf file I have:
sasl-realm "agestado.com.br"
access to attribute=userPassword
        by dn="uid=repl\+realm=agestado.com.br" read
When I try something like
% ldapsearch -U repl -Y DIGEST-MD5 "mail=anr@testdomain.enet"
I don't see the userPassword attribute.
The log shows that the first two binds fail, the third succeeds with ssf=1:
slapd[7481]: do_bind 
slapd[7481]: do_sasl_bind: dn () mech DIGEST-MD5 
slapd[7481]: conn=11 op=0 BIND dn="" method=163 
slapd[7481]: send_ldap_sasl: err=14 len=129 
slapd[7481]: send_ldap_response: msgid=1 tag=97 err=14 
slapd[7481]: <== slap_sasl_bind: rc=14 
slapd[7483]: do_bind 
slapd[7483]: do_sasl_bind: dn () mech DIGEST-MD5 
slapd[7483]: conn=11 op=1 BIND dn="" method=163 
slapd[7483]: send_ldap_sasl: err=14 len=40 
slapd[7483]: send_ldap_response: msgid=2 tag=97 err=14 
slapd[7483]: <== slap_sasl_bind: rc=14 
slapd[7481]: do_bind 
slapd[7481]: do_sasl_bind: dn () mech DIGEST-MD5 
slapd[7481]: conn=11 op=2 BIND dn="" method=163 
slapd[7481]: SASL Authorize [conn=11]: "repl" as "u:repl" 
slapd[7481]: slap_sasl_bind: username="u:repl" realm="agestado.com.br" ssf=1 
slapd[7481]: <== slap_sasl_bind: authzdn: "uid=repl + realm=agestado.com.br" 
slapd[7481]: send_ldap_sasl: err=0 len=-1 
slapd[7481]: send_ldap_response: msgid=3 tag=97 err=0 
slapd[7481]: <== slap_sasl_bind: rc=0 
Then the acl fails:
slapd[7483]: => acl_mask: access to entry "uid=anr@testdomain.enet,ou=accounts,dc=agestado,dc=com,dc=br", attr "userPassword" requested 
slapd[7483]: => acl_mask: to all values by "UID=REPL+REALM=AGESTADO.COM.BR", (=n)  
slapd[7483]: <= check a_dn_pat: uid=repl+realm=agestado.com.br 
slapd[7483]: => string_expand: pattern:  uid=repl+realm=agestado.com.br 
slapd[7483]: => string_expand: expanded: uid=repl+realm=agestado.com.br 
slapd[7483]: => regex_matches: string:   UID=REPL+REALM=AGESTADO.COM.BR 
slapd[7483]: => regex_matches: rc: 1 no matches 
I must be overlooking something. Any hints?
Thanks,
--
Adriano