[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Got it working

To: manig <manig@steltor.com>
Subject: Re: Got it working
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 15 Feb 2002 08:53:50 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3C6D313B.2E37C8AC@steltor.com>
References: <3C6C4488.FE9E7D15@steltor.com> <5.1.0.14.0.20020215072144.0434bb00@127.0.0.1>

At 08:03 AM 2002-02-15, manig wrote:
>- Added a password for the user using saslpasswd(8), with the following
>command:
>
>saslpasswd -c "u:shigeru"

It seems odd that you have authentication identities which
start with "u:".  You are likely confusing the form of LDAP
authorization identity derived from authentication identities
with the authentication identities.

If you represent the authentication identity "u:shigeru" 
as LDAP authorization identity, it would become "u:u:shigeru".

I suggest you use the authentication identity "shigeru"
instead, which when represented as the LDAP authorization
identity would be "u:shigeru".

>- Things should be working properly now. Test things out:
>
>/usr/local/bin/ldapsearch -I -D "uid=shigeru" "cn=*"

Since you are doing SASL authentication, the DN here is irrelevant.

>SASL/DIGEST-MD5 authentication started
>SASL Interaction
>Default: root
>Please enter your authentication name: u:shigeru
>Please enter your authorization name: u:shigeru

This says I am "u:shigero" (LDAP authzid "u:u:shigeru") but
I'd like to be authorized as "u:shigeru".  Whether the
LDAP authzid "u:u:shigeru" has permission to authorize as the
LDAP authzid "u:shigeru" is generally a matter of policy.

In 2.0, there is no policy support and would normally
refuse to accept this bind.  However, as allows the
authentication identity "bob" to authorize as the
authorization identity "u:bob" or as the INVALID
authorization identity "bob" (for historical reasons).
To explain the behavior you see, s/bob/u:shigeru/ in the above.

>Note that I entered u:shigeru as both the authentication and
>authorization names. This causes whichever OpenLDAP client (in this case
>ldapsearch) to not specify an authzid in the DIGEST-MD5 authentication
>process (which is good). If I leave authorization name blank, it will
>specify authzid="", which is less desirable. I don't know if this should
>be considered a bug.

Unless you are attempting proxy authorization, an authorization
should not be specified.  To do so unnecessarily will only cause
confusion.

Kurt

References:
- Re: Newbie OpenLDAP-SASL question
  - From: manig <manig@steltor.com>
- RE: Newbie OpenLDAP-SASL question
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Got it working
  - From: manig <manig@steltor.com>

Prev by Date: Re: Debian Linux: Auth fails with 8char salt and --with-tls
Next by Date: Re: Got it working
Index(es):
- Chronological
- Thread