[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Got it working



At 09:26 AM 2002-02-15, Tarjei Huse wrote:
>One question: saslpasswd -c u:<uid>
>
>Is the u: part needed?

No.  the syntax of the saslpasswd command is
        saslpasswd -c <authcid>


When OpenLDAP derives the LDAP authorization identity
from the SASL authentication identity, it uses the
u: form.  Hence SASL authentication identity <authcid>
is represented as the LDAP authorization identity
u:<authcid>.   Likewise, the SASL authentication
identity u:<uid> becomes the LDAP authorization
identity "u:u:<uid>".

Subsequent to this mapping, OpenLDAP 2.0 then maps
the LDAP authorization id (u:authcid) it derived from
the SASL authentication id (authcid) to what it
Authorization (or Subject) DN of the form
"uid=authcid+...".


>If I set a password like saslpasswd tarjei or through
>cyrus-imapd then the 'u:' part is not included, right?

No.  The user (of IMAP, SMTP, whatever) is expected to
provide their SASL authentication identity.  If "u:"
is part of that identity, then it that way everywhere.

>Is it possible to set up
>OL so I do not need to use the u: part. 

Yes.

>Also, to use OL w/ sasl, do I have to use saslpasswd for changing my
>userPassword or can this be done f.x. through an ldif file?

In 2.0, you need to use saslpasswd to change values managed by
SASL and ldappasswd to change values of userPassword and other
tools to change values held elsewhere.

2.0 does not support in-directory storage of SASL credentials,
but does support use of SASL credentials to support simple
authentication (via {SASL} userPassword scheme).

>Has anyone managed to use sasl together with pam-ldap and changed passwords
>through the normal passwd command?

Likely, that's a topic more appropriate for the PAM LDAP
list at <pamldap@padl.com>.

Kurt