Re: SASL tips worth adding to documentation?

[Pierangelo Masarati <ando@sys-net.it>]

Aleksander Adamowski wrote:

> Hi!
> I've been playing with SASL auth in OpenLDAP 2.1.
>
> Basically, the documentation page on
> <http://www.openldap.org/doc/admin21/sasl.html> lacks most info needed
> to get SASL working in almost any setup...
>
> E.g. it's not mentioned anywhere that one needs to give unauthenticated
> users read permissions to the supportedSASLMechanisms attribute, or else
> some clients (even those shipped with OpenLDAP!) won't be able to get
> the list of supported mechs and terminate with an error before even
> trying to authenticate!
>
> So one needs something like this:
>
> access to attrs=supportedSASLMechanisms
>  by peername=192\.168\.0\..* read
>
> to enable this for machines on local network 192.168.0.0/24.

Basically, all the info in the rootDSE need to be readable
by anonymous, otherwise, you intentionally defeat the purpose
of the rootDSE.

p.

> The documentation page also lacks description of sasl-related directives
> (that are documented in slapd.conf manpage, but weakly).
>
> So I propose that anybody who reads this share his/her tips related to
> SASL in OpenLDAP and then we'll submit collected info for inclusion in
> the admin guide at <http://www.openldap.org/doc/admin21/sasl.html>.
>
> Best regards,



+----------------------------------------------------------------------------+
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |
+----------------------------------------------------------------------------+