'Re: Pb with sasl2 digest - md5 and openldap'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: Pb with sasl2 digest - md5 and openldap
From:       bea chataigne <bchataigne () gmail ! com>
Date:       2011-10-30 8:55:08
Message-ID: CAO4LTFO_jiO5WpO5-yqjo+aim_g2iT5c_3Dbt-Y3q0FnDip3-w () mail ! gmail ! com
[Download RAW message or body]

["attachment.htm" (text/html)]

Hello Michael,<div><br></div><div><div>Yes sasl-md5 work with clear password, that is \
why to me the password of syncuser is defined in the base \
sasl2db.</div><div><br></div><div>In my ldap configuration, I have only the following \
line:</div>




<div><br></div><div>OlcAuthzRegexp: {0} &quot; uid=syncuser, cn=DIGEST-MD5, cn=auth \
&quot; &quot; cn=syncuser, dc=xxx, dc=fr &quot;</div><div><br></div><div>In my ldap \
base I thus have no entry &quot;cn=syncuser,dc=xxx,dc=fr&#39; defined.</div>




<div><br></div><div>My ldapsearch command :</div><div># ldapsearch -Y DIGEST-MD5-U \
syncuser -h localhost</div><div>Reads that rule </div><div>Hello \
Michael,<div><br></div><div><div>Yes sasl-md5 work with clear password, that is why \
to me the password of syncuser is defined in the base sasl2db.</div>


<div><br></div><div>In my ldap configuration, I have only the following \
line:</div><div>OlcAuthzRegexp: {0} &quot; uid=syncuser, cn=DIGEST-MD5, cn=auth \
&quot; &quot; cn=syncuser, dc=xxx, dc=fr &quot;</div><div><br></div>

<div>
In my ldap base I thus have no entry &quot;cn=syncuser,dc=xxx,dc=fr&#39; \
defined.</div><div><br></div><div>In my ldapsearch command :</div><div># ldapsearch \
-Y DIGEST-MD5-U syncuser -h localhost</div><div><br></div><div>

Reads that rule OlcAuthzRegexp: {0} &quot;  for the user  &quot;uid=syncuser, \
cn=DIGEST-MD5, cn=auth &quot; translates into ldap entry \
&quot;cn=syncuser,cn=xxx,cn=fr&quot;.</div></div></div><div><br></div><div><div>Then \
he compares the password at first in the base sasl2db, then in the ldap base.</div> \
<div>In my case the password being in the base sasldb, he should find one \
correspondence no??</div><div><br></div> <div>It is correct to \
there???</div><div><br></div><div>Best \
regards</div><div>chataigne</div><div><br></div> </div><div>2011/10/29 Michael \
Ströder <span dir="ltr">&lt;<a href="mailto:michael@stroeder.com" \
target="_blank">michael@stroeder.com</a>&gt;</span></div>

<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div>bea chataigne wrote:<br> &gt; \
# ldapsearch -Y DIGEST-MD5-U syncuser<br> &gt; ldap_sasl_interactive_bind_s: Invalid \
credentials ( 49 )      additional<br> &gt; information: SASL ( 13 ): use(wear out) \
not found: no secret in database<br> <br>
</div>Does attribute userPassword of entry cn=syncuser,dc=xxx,dc=fr has a \
clear-text<br> value? SASL DIGEST-MD5 does not work with hashed passwords.<br>
<br>
Ciao, Michael.<br>
</blockquote></div><br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic