[Date Prev][Date Next] [Chronological] [Thread] [Top]

No subject

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: No subject
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Fri, 30 Apr 2004 14:45:28 +0200
In-reply-to: <BAY18-F733WhkDp8ES000021d04@hotmail.com>
Organization: Billy
References: <BAY18-F733WhkDp8ES000021d04@hotmail.com>

fre, 30.04.2004 kl. 03.58 skrev Ben Booble:

> I have been going through the very good http://www.billy.demon.nl/ guide for 
> postfix sasl ldap howto but have run into a problem.

Had a couple of top-flight Openldap and Postfix LDAP mentors ;)

> I am running openldap-2.1.25, cryus-sasl-2.1.17, redhat ES3.  I have 
> compiled and install ldapdb.c according to the readme.  In the guide 
> mentioned above to test the success of the installation you submit this 
> command..

I'm running RHEL3 too, so all compiles and stuff should work well
(though I'm now with OL 2.2.11/2.1.30). Just a couple of things, apart
from what Dieter wrote:

[...]
> <==slap_sasl_check_authz: saslAuthzTo check returning 48
> <== slap_sasl_authorized: return 48
> SASL Authorize [conn=6]:  authorization disallowed (48)
> SASL [conn=6] Failure: not authorized

It seems to be barfing at saslAuthzTo.

Can't say for sure, but someone wrote that "dn.regex" in saslAuthzTo
didn't work for them; had to use plain "dn" instead, as I had orignally.
Try that. Also, at a given moment when updating OL versions, I had to
use a saslAuthzTo using an ldap uri (but it all works again now, with
your own version).:

ldap:///ou=people,ou=groups,dc=example,dc=com??sub?(objectclass=Person).

Though the Admin Guide warns that this is resource-heavy. See if it
works.

If you use RHEL3 with X, grab and compile/install GQ 1.0b1. Changing or
adding to the saslAuthzTo attribute (it's multi-valued) is a cinch,
then.  

> slapd.conf ACL
[...]

The ACLs should work, if admin can change passwords for users. Though
the whole ACL stuff has been radically improved and augmented in the
latest OL versions, making things much more logical to my mind.

Leave unnecessary stuff out of slapd.conf, till it works:

> password-hash   {CLEARTEXT}
> #sasl-host servername
> sasl-authz-policy to
> sasl-realm servername                                          <<== comment out
> sasl-secprops noplain noanonymous maxssf=128 <= comment out
> sasl-regexp uid=(.*),cn=servername,cn=digest-md5,cn=auth
> uid=$1,ou=people,dc=cpc                       <<== single line, comment out
> sasl-regexp uid=(.*),cn=digest-md5,cn=auth
> "ldap:///ou=people,dc=cpc??sub?uid=$1";                      <<= single
> line

[...]

> ldapsearch -x -D "uid=admin,ou=people,dc=cpc" -W 'uid=admin' saslauthzto
> # admin, people, cpc
> dn: uid=admin,ou=people,dc=cpc
> saslAuthzTo: dn.regex:uid=.*,ou=people,dc=cpc

O.k., you can auth as admin.

One last thing: I had to go back to the OL 2.1.22 version of the ldapdb
auxprop to get it to work with Postfix after a Cyrus SASL update - I
don't know why. It would be interesting to read what others' experience
is with the latest (2.2.11 or 2.1.30) ldapdb version, but AFAICS *very*
few Postfix LDAP people use auxprop, most use pam or saslauthd -> sasldb
- which defeats the beauty of the whole LDAP/auxprop thing.

Best,

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

References:
- [no subject]
  - From: "Ben Booble" <oneoutof100@hotmail.com>

Prev by Date: Re: Decyphering openldap ACL logs
Next by Date: RE:
Index(es):
- Chronological
- Thread