# Subversion + saslauthd + OpenLDAP



## NuLL3rr0r (Jul 29, 2018)

We have a FreeBSD server running Gitea, agilo, DokuWiki, NextCloud, ... authenticating against a self-hosted OpenLDAP instance running on the same server and it works flawlessly.

Recently, we have introduced Subversion into our pipeline. I'm trying to make Subversion authenticate against the same LDAP directory but hit the break wall with the OpenLDAP authentication part.

I followed this and this guides, without any success.

This is what I see in the logs for a successful login from other services (e.g. DokuWiki):


```
Jul 29 16:35:06 core slapd[49965]: conn=1028 fd=16 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 BIND anonymous mech=implicit ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=1 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=2 SRCH base="ou=people,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(uid=mohammad.babaei))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=3 SRCH base="ou=groups,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=dokuwiki,ou=groups,dc=cheetah,dc=com))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=3 SRCH attr=1.1
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 BIND anonymous mech=implicit ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 BIND dn="uid=mohammad.babaei,ou=people,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 BIND dn="uid=mohammad.babaei,ou=people,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=4 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 BIND anonymous mech=implicit ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=5 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=6 SRCH base="ou=people,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(uid=mohammad.babaei))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=7 SRCH base="ou=groups,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=dokuwiki,ou=groups,dc=cheetah,dc=com))"
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=7 SRCH attr=1.1
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=8 UNBIND
Jul 29 16:35:06 core slapd[49965]: conn=1028 fd=16 closed
Jul 29 16:35:06 core slapd[49965]: conn=1029 fd=16 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=0 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0
Jul 29 16:35:06 core slapd[49965]: connection_input: conn=1029 deferring operation: binding
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=0 RESULT tag=97 err=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=1 SRCH base="ou=people,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(uid=vahab.ahmadvand))"
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=2 SRCH base="ou=groups,dc=cheetah,dc=com" scope=2 deref=0 filter="(&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=dokuwiki,ou=groups,dc=cheetah,dc=com))"
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=2 SRCH attr=1.1
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 29 16:35:06 core slapd[49965]: conn=1029 op=3 UNBIND
Jul 29 16:35:06 core slapd[49965]: conn=1029 fd=16 closed
```

When I run testsaslauthd:


```
$ testsaslauthd -u mohammad.babaei -p password -f /var/run/saslauthd/mux
0: NO "authentication failed"
```

And here is the slapd log for the failed login with testsaslauthd:


```
Jul 29 16:38:01 core slapd[49965]: conn=1030 fd=16 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 29 16:38:01 core slapd[49965]: conn=1030 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:38:01 core slapd[49965]: conn=1030 op=0 RESULT tag=97 err=49 text=
```

And saslauthd verbose logs:


```
saslauthd[51398] :rel_accept_lock : released accept lock
saslauthd[51399] :get_accept_lock : acquired accept lock
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x802e20030 msgid 1
wait4msg ld 0x802e20030 msgid 1 (infinite timeout)
wait4msg continue ld 0x802e20030 msgid 1 all 1
** ld 0x802e20030 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Sun Jul 29 16:52:03 2018


** ld 0x802e20030 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x802e20030 request count 1 (abandoned 0)
** ld 0x802e20030 Response Queue:
   Empty
  ld 0x802e20030 response count 0
ldap_chkResponseList ld 0x802e20030 msgid 1 all 1
ldap_chkResponseList returns ld 0x802e20030 NULL
ldap_int_select
read1msg: ld 0x802e20030 msgid 1 all 1
read1msg: ld 0x802e20030 msgid 1 message type bind
read1msg: ld 0x802e20030 0 new referrals
read1msg:  mark request completed, ld 0x802e20030 msgid 1
request done: ld 0x802e20030 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
saslauthd[51398] :do_auth         : auth failure: [user=mohammad.babaei] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[51398] :do_request      : response: NO
```

Here are my config files:

/usr/local/etc/openldap/slapd.conf

```
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/collective.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/duaconf.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/pmi.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/custom-additions.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath    /usr/local/libexec/openldap
# moduleload    back_mdb
# moduleload    back_ldap
moduleload      pw-sha2
moduleload      back_mdb

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security ssf=256 update_ssf=256 simple_bind=256
#security ssf=128 update_ssf=128 simple_bind=128

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
disallow bind_anon

access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=root,dc=cheetah,dc=com" write
        by * none
access to *
        by self write
        by dn.base="cn=root,dc=cheetah,dc=com" write
        by * read

#######################################################################
# MDB database definitions
#######################################################################

database    mdb
maxsize        1073741824
suffix          "dc=cheetah,dc=com"
rootdn          "cn=root,dc=cheetah,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SHA512}EWZsDXlOewqSeOvnuTt+A0Al4WZg8cGd06vU/s2B5up/NM2qbMH4FHtb9545XasonZXIKJK79xJ1MzCDxJQI8Q==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /var/db/openldap-data
# Indices to maintain
index   objectClass                                  eq
index   uid,uidNumber,gidNumber                      pres,eq
index   cn,sn,gn                                     pres,eq,sub,approx
index   mail                                         pres,eq
index   owner,member,memberOf,uniqueMember,manager   eq
index   memberUid                                    eq

overlay memberof

TLSCipherSuite          HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2
TLSCertificateFile      /etc/ssl/certs/cheetah.com.crt
TLSCertificateKeyFile   /etc/ssl/certs/cheetah.com.key
TLSCACertificateFile    /etc/ssl/certs/cheetah.com.crt
TLSDHParamFile          /etc/ssl/certs/dhparam.pem
TLSVerifyClient         allow

logfile /var/log/openldap/slapd.log
loglevel 0x100
```

/usr/local/etc/openldap/ldap.conf

```
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never

base dc=cheetah,dc=com
uri ldapi:///
#ssl start_tls
#tls_cacert /etc/ssl/certs/cheetah.com.crt
#tls_cacertdir /etc/ssl/certs
#tls_reqcert allow
#tls_reqcert never
```


/usr/local/etc/saslauthd.conf

```
ldap_servers: ldapi:///
ldap_version: 3
ldap_timeout: 60

ldap_use_sasl: no
ldap_start_tls: no
ldap_mech: PLAIN LOGIN

ldap_auth_method: bind
ldap_bind_dn: cn=root,dc=cheetah,dc=com
ldap_bind_pw: password

ldap_search_base: ou=people,dc=cheetah,dc=com
ldap_filter: (&(uid=%u))
#ldap_filter: (&(memberOf=cn=cheetah.com,ou=groups,dc=cheetah,dc=com)(memberOf=cn=Subversion,ou=groups,dc=cheetah,dc=com)(uid=%u))

ldap_debug: 1
```

I believe the difference between DokuWiki and testsaslauthd lies here:


```
/// DokuWiki
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
Jul 29 16:35:06 core slapd[49965]: conn=1028 op=0 BIND dn="cn=root,dc=cheetah,dc=com" mech=SIMPLE ssf=0

/// testsaslauthd
Jul 29 16:38:01 core slapd[49965]: conn=1030 op=0 BIND dn="cn=root,dc=cheetah,dc=com" method=128
```

I'm not sure how to force testsaslauthd to do the mech=SIMPLE ssf=0 part.


----------



## Datapanic (Jul 29, 2018)

Are you using the FreeBSD port net/openldap24-server?  If so, check the options for GSSAPI and SASL - I think they're disabled by default.


----------



## NuLL3rr0r (Jul 30, 2018)

Thank you so much for the answer. Yes, I'm using net/openldap24-server. I also tried turning SASL option on which builds the SASL variant. But from my understanding, it is not necessary to use SASL since there is the ldap_use_sasl option available. Am I wrong?

I'll try to run on GSSAPI and SASL at the same time and report back. Thanks again!


----------



## NuLL3rr0r (Jul 30, 2018)

OK, I did eanble GSSAPI and SASL and set ldap_use_sasl to yes and now I'm getting this inside slapd.log:


```
Jul 30 10:34:45 core slapd[47561]: conn=1003 fd=13 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Jul 30 10:34:45 core slapd[47561]: conn=1003 op=0 BIND dn="" method=163
Jul 30 10:34:45 core slapd[47561]: SASL [conn=1003] Failure: Password verification failed
Jul 30 10:34:45 core slapd[47561]: conn=1003 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed
```

And saslauthd:


```
saslauthd[47828] :rel_accept_lock : released accept lock
saslauthd[47829] :get_accept_lock : acquired accept lock
ldap_sasl_interactive_bind: user selected: PLAIN LOGIN
ldap_int_sasl_bind: PLAIN LOGIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_int_sasl_open: host=core.cheetah.com
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x803020060 msgid 1
wait4msg ld 0x803020060 msgid 1 (infinite timeout)
wait4msg continue ld 0x803020060 msgid 1 all 1
** ld 0x803020060 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Mon Jul 30 10:34:45 2018


** ld 0x803020060 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x803020060 request count 1 (abandoned 0)
** ld 0x803020060 Response Queue:
   Empty
  ld 0x803020060 response count 0
ldap_chkResponseList ld 0x803020060 msgid 1 all 1
ldap_chkResponseList returns ld 0x803020060 NULL
ldap_int_select
read1msg: ld 0x803020060 msgid 1 all 1
read1msg: ld 0x803020060 msgid 1 message type bind
read1msg: ld 0x803020060 0 new referrals
read1msg:  mark request completed, ld 0x803020060 msgid 1
request done: ld 0x803020060 msgid 1
res_errno: 49, res_error: <SASL(-13): user not found: Password verification failed>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: PLAIN LOGIN
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_msgfree
saslauthd[47828] :do_auth         : auth failure: [user=mohammad.babaei] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[47828] :do_request      : response: NO
```


----------



## NuLL3rr0r (Jul 30, 2018)

OK, thanks to this post I've managed to make some progress. I added the following to /usr/local/etc/openldap/slapd.conf:


```
sasl-host          localhost
#sasl-realm         cheetah.com

authz-policy       from
authz-regexp       uid=([^,]*),cn=[^,]*,cn=auth
                   uid=$1,ou=people,dc=cheetah,dc=com
```

But I'm getting the following inside my slapd.log:


```
5b5ecb58 slap_listener_activate(6):
5b5ecb58 >>> slap_listener(ldapi:///)
5b5ecb58 connection_get(16): got connid=1001
5b5ecb58 connection_read(16): checking for input on id=1001
ber_get_next
ber_get_next: tag 0x30 len 47 contents:
5b5ecb58 op tag 0x60, time 1532939096
ber_get_next
5b5ecb58 conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
5b5ecb58 >>> dnPrettyNormal: <>
5b5ecb58 <<< dnPrettyNormal: <>, <>
5b5ecb58 do_bind: dn () SASL mech PLAIN
5b5ecb58 slap_sasl_getdn: u:id converted to uid=mohammad.babaei,cn=PLAIN,cn=auth
5b5ecb58 >>> dnNormalize: <uid=mohammad.babaei,cn=PLAIN,cn=auth>
5b5ecb58 <<< dnNormalize: <uid=mohammad.babaei,cn=plain,cn=auth>
5b5ecb58 ==>slap_sasl2dn: converting SASL name uid=mohammad.babaei,cn=plain,cn=auth to a DN
5b5ecb58 ==> rewrite_context_apply [depth=1] string='uid=mohammad.babaei,cn=plain,cn=auth'
5b5ecb58 ==> rewrite_rule_apply rule='uid=([^,]*),cn=[^,]*,cn=auth' string='uid=mohammad.babaei,cn=plain,cn=auth' [1 pass(es)]
5b5ecb58 ==> rewrite_context_apply [depth=1] res={0,'uid=mohammad.babaei,ou=people,dc=cheetah,dc=com'}
5b5ecb58 slap_parseURI: parsing uid=mohammad.babaei,ou=people,dc=cheetah,dc=com
ldap_url_parse_ext(uid=mohammad.babaei,ou=people,dc=cheetah,dc=com)
5b5ecb58 >>> dnNormalize: <uid=mohammad.babaei,ou=people,dc=cheetah,dc=com>
5b5ecb58 <<< dnNormalize: <uid=mohammad.babaei,ou=people,dc=cheetah,dc=com>
5b5ecb58 <==slap_sasl2dn: Converted SASL name to uid=mohammad.babaei,ou=people,dc=cheetah,dc=com
5b5ecb58 slap_sasl_getdn: dn:id converted to uid=mohammad.babaei,ou=people,dc=cheetah,dc=com
5b5ecb58 slap_sasl_getdn: u:id converted to uid=mohammad.babaei,cn=PLAIN,cn=auth
5b5ecb58 >>> dnNormalize: <uid=mohammad.babaei,cn=PLAIN,cn=auth>
5b5ecb58 <<< dnNormalize: <uid=mohammad.babaei,cn=plain,cn=auth>
5b5ecb58 ==>slap_sasl2dn: converting SASL name uid=mohammad.babaei,cn=plain,cn=auth to a DN
5b5ecb58 ==> rewrite_context_apply [depth=1] string='uid=mohammad.babaei,cn=plain,cn=auth'
5b5ecb58 ==> rewrite_rule_apply rule='uid=([^,]*),cn=[^,]*,cn=auth' string='uid=mohammad.babaei,cn=plain,cn=auth' [1 pass(es)]
5b5ecb58 ==> rewrite_context_apply [depth=1] res={0,'uid=mohammad.babaei,ou=people,dc=cheetah,dc=com'}
5b5ecb58 slap_parseURI: parsing uid=mohammad.babaei,ou=people,dc=cheetah,dc=com
ldap_url_parse_ext(uid=mohammad.babaei,ou=people,dc=cheetah,dc=com)
5b5ecb58 >>> dnNormalize: <uid=mohammad.babaei,ou=people,dc=cheetah,dc=com>
5b5ecb58 <<< dnNormalize: <uid=mohammad.babaei,ou=people,dc=cheetah,dc=com>
5b5ecb58 <==slap_sasl2dn: Converted SASL name to uid=mohammad.babaei,ou=people,dc=cheetah,dc=com
5b5ecb58 slap_sasl_getdn: dn:id converted to uid=mohammad.babaei,ou=people,dc=cheetah,dc=com
5b5ecb58 => mdb_search
5b5ecb58 mdb_dn2entry("uid=mohammad.babaei,ou=people,dc=cheetah,dc=com")
5b5ecb58 => mdb_dn2id("uid=mohammad.babaei,ou=people,dc=cheetah,dc=com")
5b5ecb58 <= mdb_dn2id: got id=0x6
5b5ecb58 => mdb_entry_decode:
5b5ecb58 <= mdb_entry_decode
5b5ecb58 slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined
5b5ecb58 send_ldap_result: conn=1001 op=0 p=3
5b5ecb58 SASL [conn=1001] Failure: Password verification failed
5b5ecb58 send_ldap_result: conn=1001 op=0 p=3
5b5ecb58 send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 69 bytes to sd 16
5b5ecb58 <== slap_sasl_bind: rc=49
```

And saslauthd log says:


```
saslauthd[10646] :rel_accept_lock : released accept lock
saslauthd[10647] :get_accept_lock : acquired accept lock
ldap_sasl_interactive_bind: user selected: PLAIN LOGIN
ldap_int_sasl_bind: PLAIN LOGIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_int_sasl_open: host=core.cheetah.com
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x803020060 msgid 1
wait4msg ld 0x803020060 msgid 1 (infinite timeout)
wait4msg continue ld 0x803020060 msgid 1 all 1
** ld 0x803020060 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Mon Jul 30 12:55:22 2018


** ld 0x803020060 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x803020060 request count 1 (abandoned 0)
** ld 0x803020060 Response Queue:
   Empty
  ld 0x803020060 response count 0
ldap_chkResponseList ld 0x803020060 msgid 1 all 1
ldap_chkResponseList returns ld 0x803020060 NULL
ldap_int_select
read1msg: ld 0x803020060 msgid 1 all 1
read1msg: ld 0x803020060 msgid 1 message type bind
read1msg: ld 0x803020060 0 new referrals
read1msg:  mark request completed, ld 0x803020060 msgid 1
request done: ld 0x803020060 msgid 1
res_errno: 49, res_error: <SASL(-13): user not found: Password verification failed>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: PLAIN LOGIN
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_msgfree
saslauthd[10646] :do_auth         : auth failure: [user=mohammad.babaei] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[10646] :do_request      : response: NO
```

No idea why it picks cmusaslsecretPLAIN which I don't have in my LDAP directory instead of userPassword.


----------



## NuLL3rr0r (Jul 30, 2018)

Update:

I tried adding cmusaslsecretPLAIN and cmusaslsecretDIGEST-MD5 as my OpenLDAP schema did not have those. Unfortunately, it refused to work.


```
attributetype ( 1.3.6.1.4.1.3.8.1.1.2 NAME 'cmusaslsecretDIGEST-MD5'
        DESC 'SASL DIGEST-MD5 secret'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{16} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.3.8.1.1.5 NAME 'cmusaslsecretPLAIN'
        DESC 'SASL PLAIN secret'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )

objectClass ( 13.17.11011.1.0.5.8192.200 NAME 'saslAccount'
        DESC 'Abstraction of a SASL account'
        SUP top AUXILIARY
        MAY ( cmusaslsecretDIGEST-MD5 $ cmusaslsecretPLAIN ) )
```

I then changed userPassword in my LDAP directory for one of the accounts and instead of CRYPT, MD5, .... I did set userPassword to {CLEARTEXT}123 and:


```
$ testsaslauthd -u mohammad.babaei -p 123 -f /var/run/saslauthd/mux
0: OK "Success."
```

saslauthd logs:


```
saslauthd[14725] :do_auth         : auth success: [user=mohammad.babaei] [service=imap] [realm=] [mech=ldap]
saslauthd[14725] :do_request      : response: OK
```

And slapd logs:


```
5b5eea47 send_ldap_result: conn=1001 op=0 p=3
5b5eea47 SASL Authorize [conn=1001]:  proxy authorization allowed authzDN=""
5b5eea47 send_ldap_sasl: err=0 len=-1
5b5eea47 do_bind: SASL/PLAIN bind: dn="uid=mohammad.babaei,ou=people,dc=cheetah,dc=com" sasl_ssf=0
5b5eea47 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 16
5b5eea47 <== slap_sasl_bind: rc=0
```

It seems that I have no other choice other than storing passwords in clear text :|


----------



## NuLL3rr0r (Jul 30, 2018)

Another update:

Due to changing userPassword values to {CLEARTEXT} all other services using the same LDAP directory are stopped working. I appreciate it if someone could tell me what's happening here.

Thanks!


----------

