On Fri, Jul 12, 2002 at 03:16:24AM -0700, Howard Chu wrote:
>
> Using this rule
> sasl-regexp "uid=(.*),cn=digest-md5,cn=auth" "ldap:///o=foo,c=us??sub?cn=$1";
That fixed it, thanks. It helps to know that digest-md5 does not use a
realm!
I now have in-directory secrets working and have started looking at
password changing mechanisms. I am forcing the password change exop to
store cleartext passwords with the config option:
password-hash {CLEARTEXT}
ldappasswd works correctly when I bind with the non-SASL mechanism:
ldappasswd -S -x -W -C -D "cn=Andrew Pathan+uid=u000997,dc=example,dc=org"
However, when I use SASL I run into problems:
ldappasswd -S -C -U u000997
New password:
Re-enter new password:
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u000997
SASL SSF: 128
SASL installing layers
Result: Unknown error (80)
Additional info: SASL(-7): invalid parameter supplied: Parameter error in server.c near line 149
If I specify the DN of the entry I want to change then the error is
different:
$ ldappasswd -S -C -U u000997 "cn=Andrew
Pathan+uid=u000997,dc=example,dc=org"
New password:
Re-enter new password:
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u000997
SASL SSF: 128
SASL installing layers
Result: DSA is unwilling to perform (53)
Additional info: user must change own password
This suggests to me that the server is not applying saslRegexp when
handling the exop.
Would you expect this to work? If this is bug I will submit logs etc
to help diagnose it. I am also working on some notes on using
DIGEST-MD5 which I will submit for the SASL section of the admin
guide.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| Andrew.Findlay@skills-1st.co.uk +44 1628 782565 |
-----------------------------------------------------------------------