[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fw: on SASL

Turbo Fredriksson wanted us to know:

>> replica         host=gteshome:53389
>You _MIGHT_ need the full FQDN here...

With a simple bind, a FQDN is not needed (but my resolver is setup
properly, I guess you can't always count on that).  I will assume that a
FQDN is required, then once I get it working, I will back it out and see
if it breaks.  We also have our resolver configured to search through
about 4 domain suffixes.  I'll change it so that it doesn't find the
correct FQDN on the first DNS query to see if that breaks anything.
Should be the same results though.

>>                 suffix="ou=District3,o=mrball,c=US"
>>                 binddn="uid=tlyons.mrball.net"
>This is not a complete dn... (should probably have 'suffix' added to it).

Ok, that did strike me as funny looking.  I'll change it to something
that would be more normal looking.

>>                 authcId="tlyons.mrball.net"
>>                 authzId="tlyons.mrball.net"
>>                 realm="gteshome.mrball.net"
>>                 credentials="todd"
>Have no idea what these do, _I_ don't have them...

Since you define an sasl-realm as a global, I think you get rid of the
realm requirement.  Keep in mind that I'm just doing this for
replication, not local client access using sasl.  We're still working
out the details of local client access.  Depending on which site it's
located, it will be one or more of qmail, courier-imap, or Samba.

>> In the config file for the slave ldap server for port 53389, I have:

AACK!  I *COMPLETELY* forgot about that damned dot.  That's the FIRST
thing that I check.

>DOT (.) is a regexp, so have to be protected. It is advisable to use dot's
>in a DN (you'll probably end up with even more problem if you have a dot
>in the DN)!

Yes, I just blindly accepted what I read and didn't give it a second
thought.  My only defense is that I was very tired yesterday and was not
thinking clearly.

>> For ACL's, I have:
>>         by dn="UID=TLYONS.MRBALL.NET" write
>Since you're using dot's in the username, this should be:

He didn't include the realm in his sample slapd.conf.  I'll delve into
that a little deeper.  I'll assume that you're right :) and adjust it.
I will just get completely away from dots.  (I remember thinking "What 
an idiot" when watching people ask this question.  Now I hang my head 
in shame.)
>This indicates that the username is in lowercase, so replace all uppercased
>usernames to lowercase above...

That answers one of the really large questions that I had, thank you.

>> In the meantime, I'm studying your HowTo.
>Only using SASL (ie, without Kerberos) is what's still missing in my HOWTO.
>I'd hoped that someone would volontare... :)

I'll gladly fill in some holes.  One of the main things that needs to be
documented is limitations of capability, ie "you can do the following
things with only sasl {insert list here}" and "you follwoing things
require sasl and K5 {insert list here}".  For my case, I'm only working
on replication, but client authentication would certainly be nice to
certify too (is certify the word I'm looking for?)

I'll report results back to the list.  For right now, I'm giving my
brain a rest for a while.
Blue skies...		Todd
| Get a bigger hammer!   |  All vendors suck, but different ones  |
| http://www.mrball.net  |  suck less in different applications.  |
| http://faq.mrball.net  |                --Andy Walden on NANOG  |