[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems Enabling Authentication using Cyrus SASL

To: openldap-technical@openldap.org
Subject: Re: Problems Enabling Authentication using Cyrus SASL
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 17 Nov 2010 16:49:17 +0100
In-reply-to: <snt141-w65BC6D8D9480955F4A05078F380@phx.gbl> (Fernando Torrez's message of "Wed, 17 Nov 2010 11:09:10 -0400")
References: <SNT141-w51C4CC7FCB98584F3C8FE88F360@phx.gbl> <AANLkTiki-DVm0WL0HT6yvDHszfP+xtXfcf16xE3spKfa@mail.gmail.com> <snt141-w65BC6D8D9480955F4A05078F380@phx.gbl>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

Fernando Torrez <fernando_torrez@hotmail.com> writes:

> Hi all
> Thanks for all your suggestions
>
>    I tried the suggested command (thanks Moorthi):
>                   ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I
> with no success. I got this error:
>
> firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I
> SASL/DIGEST-MD5 authentication started
> SASL Interaction
> Default: u:test
> Please enter your authorization name: test
> Default: proxyuser
> Please enter your authentication name: proxyuser
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: unable
> authorization ID
>
> (Logs are at the bottom of this mail for details)
>
> I also realized that the logs changed almost nothing either the command below
> is running or not:
>
>             saslauthd -d -V -a ldap -r -O /etc/saslauthd.conf
>
> so I can say that unfortunately there's no comunication between SASLAUTHD and
> LDAP.
>
> Now I will try the suggestion to separate saslauthd and ldapdb (thanks Dieter)
>
> But I'm still wondering if there's a way to work ldap server and cyrus-sasl
> together. Let's be more accuratte
>
> 1.-  Connect to ldap server throught cyrus-sasl (let's say authenticated/
> authorized proxyuser connected to ldap server)
> 2.-  Once connected to the ldap server, authenticate/authorize other user (or
> any object ) saved on ldap server using previous connection done in step 1
>
> Is that posible? Or, Am I driving crazy for nothing?
[...]

Is there any particular reason to include an external identiy provider
deamon like saslauthd?
Why don't you just use build in sasl functions? As I already
mentioned:

1. create plaintext userPasswords,
2. configure authz-regexp to map sasl authentication string to an
   entry, (man slapd.conf(5))
3. add to /etc/sasl2/slapd.conf 'auxprop_plugin: slapd'
4. test whith ldapwhoami

If you want additonal proxy authentication
1. add a auth-policy to slapd.conf
2. add authzTo attribute and appropriate value to a proxy user entry,
3. test with ldapwhoami -X u:<proxy-user> -U <user> -Y <mechanism>

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

References:
- Problems Enabling Authentication using Cyrus SASL
  - From: Fernando Torrez <fernando_torrez@hotmail.com>
- RE: Problems Enabling Authentication using Cyrus SASL
  - From: Fernando Torrez <fernando_torrez@hotmail.com>

Prev by Date: RE: Problems Enabling Authentication using Cyrus SASL
Next by Date: Re: understanding ACLs: dn.subtree vs. attrs=@something
Index(es):
- Chronological
- Thread