Re: OpenLDAP/SASL working only with unhashed passwords

[Daniel Qarras <dqarras@yahoo.com>]

> > But I'm out of clues with PLAIN (over TLS, using a self-signed
> > certificate) as why it doesn't work for a user who's password is in
> > SSHA. The users are testusers I entered, the ldif file used was
> > 1:1, only the uids and passwords were different. I am still missing
> > some basic principle of SASL or what's going on here?
> 
> You can use saslauthd to authenticate PLAIN. I'm using 
> saslauthd/pam with libpam_ldap to to accomplish this during a 
> transition period where my passwords are hashed.
> 
> You'd need to set the pwcheck_method to include saslauthd in your 
> slapd.conf *sasl* config file to support it.

It works! Dan, THANKS! You really made my day!

As googling around reveals, people have been asking these same
questions for the past five *years* so I think I owe to post my config
below.

saslauthd.conf, starting the daemon with saslauthd -d -a ldap

ldap_servers: ldap://10.0.0.1/
ldap_start_tls: yes
ldap_search_base: dc=intra

sasl2/slapd.conf (first line just to make sure slapd only uses its
internal ldapdb)

auxprop_plugin: slapd
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

openldap/slapd.conf (relevant portions):

authz-regexp uid=([^,]*),cn=PLAIN,cn=auth uid=$1,ou=People,dc=intra


It always a bit depressing to see how things come together after
wasting several days of one's life but at least I've finally got this
part working and can continue on my merry way...

Thanks!




      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ