[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL docs?

On Mon, 11 Sep 2000, Kurt D. Zeilenga wrote:

> At 10:05 PM 9/11/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
> >
> >I installed SASL and compiled OpenLDAP 2.0.1 so it now has SASL support.
> >Unfortunatly I failed to read/find the proper documentation to get import
> >my ldif file now.
> Proper documentation has yet to be written.  Volunteers welcomed
> to "jump on in."

I may as soon as I have a firm enough grasp of the whole subject to
describe it.

> No changes(*) to the directory are needed to use SASL as OpenLDAP 2.0
> relies upon Cyrus SASL's to handle such.  That is, 2.0 doesn't support
> in directory storage of SASL authentication secrets.  2.1 support
> for such is under development.
> * unless you want to use "userPassword: {SASL}user" simple bind support
> [of course, the whole point of SASL in LDAP is to avoid simple bind].

Hmm. Sounds interresting. We got a radius server with one time password
tokens. I will study this in some more detail.

> >So I would welcome some pointers (URL) to SASL documentation or even
> >better a hint to get SASL + OpenLDAP usable for me.
> Add users to your SASLdb using saslpasswd(1) or external authenication
> service (such as Kerberos V).  slapd(8) will automatically authenticate
> any valid SASL user and assign an authorization DN of the form
> "uid=username + realm=REALM".  Depending on the mechanism/configuration
> (sasl-realm), the form might also be "uid=username@KREALM" (GSSAPI) or
> just "uid=username".  Once you get successful authentication, you can
> look at slapd.conf to see what authorization DNs are being produced.

Now this could be fun.

LDAP ==> SASL ==> PAM ==> LDAP

Not quite what you had in mind (I guess ;-)

I think I will investigate:



Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij@caiw.nl	http://home.kabelfoon.nl/~hvdkooij/
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)