[Date Prev][Date Next] [Chronological] [Thread] [Top]

Newbie OpenLDAP-SASL question

To get directory users authenticated using SASL, I have taken the
following steps:

- compile/install cyrus sasl
- compile/install openldap 2.0.9 with cyrus sasl support
- set 'require SASL' in my slapd.conf (i want to prevent any other type
of authentication)
- create a sasl passwd file (/etc/sasldb) using saslpasswd(8), invoked
like this:

for dn "cn=Manager,dc=example,dc=com":
% /usr/local/sbin/saslpasswd -c "dn:cn=Manager,dc=example,dc=com"

At this point, running ldapsearch with -D "cn=Manager,dc=example,dc=com"
and -W, I set the authentication id and the authzid to
"dn:cn=Manager,dc=example,dc=com". Running in debug mode, it looks like
it is authenticating correctly against the sasl database, however I get
the error:

ldap_sasl_interactive_bind_s: Inappropriate authentication
        additional info: authorization disallowed

(I believe the SASL part of authentication is going through correctly,
because putting in a wrong password gives me "Invalid Credentials
Error". Running in debug mode showed correct SASL client-server
communication, with a positive response from the server).

Reading previous posts about SASL authentication, I believe what is
wrong here is that I am not telling the LDAP server which SASL username
corresponds to which LDAP directory entry. Unfortunately, I couldn't
find any documentation on this matter.


/* Mani Ghasemlou, Software Developer
 * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
 * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878