Re: openldap+sasl confusion

["Dieter Kluenter" <dieter@dkluenter.de>]

Seau Yeen Su <seauyeen@mgrc.com.my> writes:

> Hi Michael, thank you so much for your respond. 
>
> 1. Yes, i am talking about SASL bind with password-based mechs. What do you
> mean by in-directory passwords? Where are the in-directory passwords stored?
>  How do i set userPassword attributes? Can you give an example? It should be
> in slapd.conf, i assume.

No, userPassword is an attribute type.

> 2. Again, what do you mean by the directory? What is the best practice if i
> want to implement SASL bind with my openldap? Can you advise please.

1. add the following attribute to cn=config
   olcAuthzRegexp:{0}"uid=(.*),cn=.*,cn=auth"
        "ldap:///dc=example,dc=com??sub?uid=$1";

2. SASL requires the attribute type 'uid', if your user entries don't
   have this attribute assigned to, add it, this may require the
   additional objectclass uidobject if your user entries do not belong
   to objectclass inetOrgPerson

3. In order to verify the SASL mechanism challenge, the value of
   userPassword has to be plaintext. To ensure this add something like
    olcPasswordHash: {CLEARTEXT}  
    to cn=config

3. Try something like 'ldapwhoami -Y digest-md5 -U someUser -w secret
   -H ldap://your.host'
   The result should be the DN of someUser

[...]

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E