[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL troubles



At 07:33 AM 2001-09-07, Pavel Levshin wrote:
>Hello all,
>
>I'm trying to setup an LDAP server, and there are some difficulties
>which I have seen. It is OpenLDAP 2.0.11 with Cyrus SASL 1.5.24, and,
>in general, it worked.
>
>
>First, I applied simple restriction on my database:
>
>access to * by dn=uid=user,dc=mariinsky,dc=ru read

note the implicit:
        by * none

which implies anonymous cannot use read the root DSE.

>Then I was unable to even bind with ldapsearch. After a hour of
>debugging I had figured out that I need:
>
>access to ^$ by * read
>
>for ldapsearch to work correctly. It does anonymous search of
>supportedSASLMechanisms before actual bind.
>
>
>Second, in the Administrator's Guide there are "SASL-based" examples
>of rootdn etc:
>
>rootdn     "uid=user@EXAMPLE.COM"
>
>But it does not work.

It does depending on the mechanism, whether the mechanism plugin version,
and whether sasl_realm is set and if so what it is set to.   Unless you
really know the internals of all the pieces, one has to resort to the
logs to discover the form of the generated authzdn's.

>I'm just wondering, why these not-so-easy things is not documented
>anywhere?

We do have some contribution in this area for the next minor release.
Of course, you and others are quite welcomed to contribute.  One easy
place to contribute is the FAQ, it is interactive.  (There is also
a FAQ answer on how to contribute to the guide).

Kurt