# openldap + sasl problem



## erikf154 (May 8, 2009)

I've been breaking my head with this for two days now. I've got openldap installed with sasl support on an auth-server. However, I cannot seem sasl working properly. I've added the scheme and all to openldap, as well as adding users to the database.

But when I try to authenticate using digest-md5, I get an error:

```
# ldapsearch -Y digest-md5 -U joes@freebsd71
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
```

debug.log gives me this:

```
May  8 14:49:48 freebsd71 ldapsearch: DIGEST-MD5 client step 2
May  8 14:49:48 freebsd71 slapd[78385]: conn=19 op=1 BIND dn="" method=163
May  8 14:49:48 freebsd71 slapd[78385]: SASL [conn=19] Failure: Could not open db
May  8 14:49:48 freebsd71 last message repeated 3 times
May  8 14:49:48 freebsd71 slapd[78385]: SASL [conn=19] Failure: no secret in database
May  8 14:49:48 freebsd71 slapd[78385]: conn=19 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database
May  8 14:49:48 freebsd71 slapd[78385]: conn=19 fd=11 closed (connection lost)
```

It looks like if either can't connect to the user db (/usr/local/etc/sasldb2.db), or that is doesn't exists, but it does, I've checked. Also:


```
# sasldblistusers2
admin@freebsd71: userPassword
joes@freebsd71: userPassword
```

Output from ldapsearch:

```
dn: uid=joes,ou=People,dc=testdomain,dc=no
uid: joes
cn: Joe Schmoe
objectClass: top
objectClass: inetOrgPerson
objectClass: person
givenName: Joe
sn: Schmoe
```

Parts of slapd.conf:

```
database        bdb
suffix          "dc=testdomain,dc=no"
rootdn          "cn=Manager,dc=testdomain,dc=no"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}erhPkiMW4qIl0KFguplsA4Va+QP2xIBl

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data

# Indices to maintain
index   objectClass     eq
index   uid             eq
index   cn              pres,sub,eq
index   givenname       pres,sub,eq
index   surname         pres,sub,eq
```

Does anybody have any experience with this? I'm pretty new, so right now it's kinda "cloudy", but I've been reading up on this a lot, but still can't figure it out. Any help is appreciated.


----------



## gordon@ (May 10, 2009)

What are the permissions on the sasldb2.db? Also, what user is the slapd running as?


----------



## erikf154 (May 14, 2009)

It's running as the ldap user.

The permissions are 600.

It works fine when storing the passwords in the LDAP database. But then I need to use the password-hash {CLEARTEXT} in slapd.conf and I don't like that.

It's seems as though slapd just don't want to query the sasldb2.db file.


----------

