Re: DIGEST-MD5 and CRAM-MD5 again.

[Dieter Kluenter <dieter@dkluenter.de>]

Hello,

Igor Karpov <jc@minjust.gov.ua> writes:

> Hi!
>
> Alright, I have LDAP auth (for this time, cyrus->saslauthd->openldap)
> working with PLAIN and LOGIN. For I'm using TLS between MUAs and cyrus
> it would be enough, but I also want to add MD5-CRAM & MD5-DIGEST to
> this.
>
> Now I have to admit I'm stuck and need a help.
>
> It's a pity, but O'Reilly's "LDAP System Administration" becomes too
> laconic when it comes to SASL. The short example from this book
> describes Kerberos-based solution. I agree, it is useful for those
> who's running Kerberos, but completely useless for those who's not.
>
> Can anyone to show me what have to be changed to add this
> functionality?

Nothing has to be changed (in principle), but as my sasl realm is
different from host.domain.tld I added a sasl-realm directive in
slapd.conf. 

> Should slapd.conf still include rootpw & rootdn? If not, how openldap
> decides who have right to perform different actions on its tree -
> basing on ACLs?

you can keep rootdn and rootpw in an entry and have them removed from
slapd.conf. 
>
> I'm sorry I'm asking too many questions in one letter, but I feel I'm
> lost with this...

I presume you have cyrus-sasl compiled with ldap support, so your
directory contains all users and passwords, alternatively you have
created sasldb2 with users credentials. To make use of a sasl
mechanism you just pass this mechanism as parameter to an ldapclient
like ldapsearch, i.e.

ldapsearch -Y DIGEST-MD5 -b "your base" 


-Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de