[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Newbie OpenLDAP-SASL question

Let me begin by saying I've never setup an OpenLDAP server ... that said ...

I believe what you are missing is not in the general admin guide for 2.0, but is in the draft developer's admin guide at:
http://www.openldap.org/devel/admin/sasl.html section 9.2.3 (which is not the same section as in the regular admin guide). You need to map the authentication id to an authorization id using the saslregex directive.

I think the fact that this piece of information is only listed in the draft developer's guide is very problematic, and it should be added the the production admin guide to avoid further confusion.


> -----Original Message-----
> From: manig [mailto:manig@steltor.com]
> Sent: Thursday, February 14, 2002 11:04 AM
> To: openldap-software@OpenLDAP.org
> Subject: Newbie OpenLDAP-SASL question
> To get directory users authenticated using SASL, I have taken the
> following steps:
> - compile/install cyrus sasl
> - compile/install openldap 2.0.9 with cyrus sasl support
> - set 'require SASL' in my slapd.conf (i want to prevent any 
> other type
> of authentication)
> - create a sasl passwd file (/etc/sasldb) using saslpasswd(8), invoked
> like this:
> for dn "cn=Manager,dc=example,dc=com":
> % /usr/local/sbin/saslpasswd -c "dn:cn=Manager,dc=example,dc=com"
> At this point, running ldapsearch with -D 
> "cn=Manager,dc=example,dc=com"
> and -W, I set the authentication id and the authzid to
> "dn:cn=Manager,dc=example,dc=com". Running in debug mode, it 
> looks like
> it is authenticating correctly against the sasl database, 
> however I get
> the error:
> ldap_sasl_interactive_bind_s: Inappropriate authentication
>         additional info: authorization disallowed
> (I believe the SASL part of authentication is going through correctly,
> because putting in a wrong password gives me "Invalid Credentials
> Error". Running in debug mode showed correct SASL client-server
> communication, with a positive response from the server).
> Reading previous posts about SASL authentication, I believe what is
> wrong here is that I am not telling the LDAP server which 
> SASL username
> corresponds to which LDAP directory entry. Unfortunately, I couldn't
> find any documentation on this matter.
> Thanks,
> Mani
> -- 
> /* Mani Ghasemlou, Software Developer
>  * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
>  * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878
>  */