[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Openldap 2.2.4 SASL Proxy auth

To: "'Openldap list'" <openldap-software@OpenLDAP.org>
Subject: RE: Openldap 2.2.4 SASL Proxy auth
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Wed, 21 Jan 2004 12:56:11 +0100
In-reply-to: <002b01c3dfcf$a0570e30$8794700a@CELLO>
Organization: Billy
References: <002b01c3dfcf$a0570e30$8794700a@CELLO>

ons, 21.01.2004 kl. 04.35 skrev Howard Chu:

> > 1: It would be "nice" if I could configure both Openldap versions
> > separately. But I can't write a sasl-regexp for the the 2.2.4 instance
> > that refers to port 9001. This works:
> >
> > sasl-regexp uid=(.*),cn=digest-md5,cn=auth
> >    "ldaps:///dc=billy,dc=demon,dc=nl??sub?uid=$1"
> >
> > This doesn't:
> >
> > sasl-regexp uid=(.*),cn=digest-md5,cn=auth
> >    "ldaps://localhost:9001/dc=billy,dc=demon,dc=nl??sub?uid=$1"
> >
> > Is there any way of referring the regex to port 9001?
> 
> Please notice that sasl-regexp is documented to perform internal searches.
> The scheme and host part of the URI are ignored, they are merely left in
> place to conform to the URI syntax definition. In 2.2 the regexp's are
> rejected if the host part is non-empty. They were silently ignored in 2.1.

Noted, thanks. The 2.2.4 debug output is really good; but I don't recall
seeing any actual rejection of the "bad" regex.

> > At the moment, the
> > 2.2.4 instance running on port 9001 is going to the 2.1.25 instance
> > *over ldapi* (that's what I have in ldap.conf) for
> > authorization, which
> > is not what I want :) I'm running the 2.2.4 daemon from a
> > Xterm console
> > at log level 7. I can see all this from the 2 separate log instances.
> 
> Make sure slapd is not configured to use libldapdb. As the README says, slapd
> should never be configured with libldapdb. In a default configuration, what
> you describe can not happen.

I've confirmed that the 2.2.4 slapd running on port 9000 is doing the
SASL proxy auth, by temporarily shutting down the system AUTH slapd on
port 389/Unix socket. The funny thing was, the proxy AUTH *was* being
duplicated by this daemon.

My /usr/lib/sasl2/slapd.conf "short-circuit", so that it doesn't use
libldapdb, simply the sasl2 libs linked into slapd.

> Ando can probably answer your question #2, I don't recall off the top of my
> head.

That would be Andrew Finlay. Hope he reads this.

I'm getting a good feeling about 2.2.4.

Thanks for the answers.

--Tonni

-- 
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

References:
- RE: Openldap 2.2.4 SASL Proxy auth
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: LDAP anonymous and encrypted simple authentication
Next by Date: maillog attribute
Index(es):
- Chronological
- Thread