[Date Prev][Date Next] [Chronological] [Thread] [Top]

userPassword: Can it store SASL and unix/NSS_LDAP secrets?

To: openldap-software@OpenLDAP.org
Subject: userPassword: Can it store SASL and unix/NSS_LDAP secrets?
From: Richard CHAN Shih-Ping <cshihpin@dso.org.sg>
Date: Fri, 29 Nov 2002 09:36:55 +0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021128

Hi all,

I'm trying to make my directory a one-stop shop for all authentication. It is possible for the LDAP directory to manage SASL secrets for access to the directory and a separate password for access to UNIX systems using nsswitch NSS_LDAP?

Hope you can clarify my understanding of in-directory SASL secrets; it goes
something like this (please please jump in and correct me):

For UNIX logons you need like

userPassword:  {crypt}XXXXXXXXXXXXXXX

and configure nsswitch.conf to use nss_ldap for logon.
This gets reused for LDAP simple auth and SASL plain, right?
(Can you tell them to use another attribute if I don't want to
overload this attr?)

(BTW OpenLDAP provides a callback to SASL2 so that the PLAIN
mechanism always checks in-directory secrets; this confused me
because it wouldn't use sasldb2. Right? What's even more confusing
is the the DIGEST-MD5 mechanism doesn't use the callback and needs
further configuring. I respectfully suggest that the admin guide on SASL
needs to include lots of examples of /etc/openldap/slapd.conf
and /usr/lib/sasl2/slapd.conf.)

For in-directory SASL secrets you need

In /usr/lib/sasl2/slapd.conf
[Is this correct? The documentation is not very clear here]
pwcheck_method: auxprop
auxprop_plugin: slapd

and in the directory itself

userPassword: {cleartext}mydigestmd5secret

So is it possible to manage *both* secrets at the same time.
Like a
userPassword_for_UNIX and a
userPassword_for_SASL
combination.


Cheers
Richard

Prev by Date: Re: Compiling 2.1.8 on debian-sid
Next by Date: slurpd and FreeBSD getaddrinfo()
Index(es):
- Chronological
- Thread