Re: Getting LDAP and SASL (digest-md5) to play nice

[Howard Chu <hyc@symas.com>]

Rick Stevens wrote:
> So, SASL is happy with an entry in the sasldb, but obviously that DN
> isn't in the LDAP database.  So, I added an authz-regexp:
>
> 	authz-regexp
> 	        uid=([^,]*),cn=[^,]*,cn=auth
> 	        uid=$1,ou=people,ou=People,dc=gbsbilling,dc=com
>
> Now, ldapwhoami gives me:
>
> [root@prophead ~]# ldapwhoami -w unix__gort
> SASL/DIGEST-MD5 authentication started
> SASL username: root
> SASL SSF: 128
> SASL installing layers
> dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com
> Result: Success (0)
>
> Isn't that grand!  That's what I want (I think),

Is that really what you think? Look closely.

> dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com

> but it requires
> me to put an entry in the sasldb and I don't think that's necessary
> from what I gather from the docs.  However, without it, I can't
> authenticate at all, and therefore can't even get to LDAP.
>
> That being said, even that doesn't appear to be enough as I have an
> access rule:
>
> 	access to attrs=userPassword
> 	        by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write

And again, look closely.

> 	        by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write


> 	        by dn="cn=manager,dc=gbsbilling,dc=com" write
> 	        by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
> 	        by anonymous auth
> 	        by self write
> 	        by * none

Pay attention to what you're doing.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/