Re: Getting LDAP and SASL (digest-md5) to play nice

[Howard Chu <hyc@symas.com>]

Hallvard B Furuseth wrote:
> Rick Stevens writes:
> > I'm sure I'm not the only person having this issue, but I absolutely
> > cannot seem to get SASL and LDAP to work.  I want SASL to authenticate
> > using the passwords in LDAP, but in the classic chicken-and-egg
> > scenario, you can't talk to LDAP without having SASL working first.
>
> Hmm, this could use a mention in the Admin Guide.

No.

> I haven't tried it myself, but: In addition to setting up slapd to
> use SASL, you must set up SASL to use LDAP.  In Cyrus SASL, that is
> described in doc/install.html: Build with LDAP support (the circular
> dependency shows up here too), then use the LDAPDB auxprop plugin.

The ldapdb plugin is only needed by other SASL-enabled services that are meant 
to use LDAP for authentication. It does not deserve mention in the OpenLDAP 
Admin Guide because it is strictly a SASL administrator's concern. That's also 
why we moved the ldapdb code from the OpenLDAP source tree into the Cyrus SASL 
source tree, and why the ldapdb plugin is only documented in the Cyrus SASL 
documentation. Don't muddy the picture by dragging in irrelevant elements.

For SASL authentication within OpenLDAP software, all of the necessary 
components are already intrinsic to libldap and slapd.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/