[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Newbie OpenLDAP-SASL question

To: "Brian Arkills" <brian@hansolo.stanford.edu>, "'manig'" <manig@steltor.com>, <openldap-software@OpenLDAP.org>
Subject: RE: Newbie OpenLDAP-SASL question
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 14 Feb 2002 14:06:38 -0800
Importance: Normal
In-reply-to: <B1ABB45947C9D3119DAF009027AF951E3CCCDE@ntgroup.Stanford.EDU>

The reason "saslregexp" is only in the draft developer's admin guide is
because it only exists in the development code at the moment; it has never
been in any released versions. I think the upcoming 2.1alpha will be the
first actual release of this feature.

Given that the current public release is 2.0.22 I find it difficult to
understand why anyone would begin a project today by compiling version
2.0.9. It is in everyone's best interest to check for the latest versions of
all software before beginning to work with any of it. Sure they may be new,
as-yet-undiscovered bugs in the newest code, but in general more bugs are
fixed than introduced.

As for mapping SASL IDs to LDAP DNs, this has been covered repeatedly in the
past couple weeks on this mailing list. The short answer in this case is
that slapd always constructs a DN using "uid=<sasl-name>+realm=<sasl-realm>"
in the released code, and always expects you to specify the name as
"u:<sasl-name>" on the command line.

As mentioned before, the new code has the "saslregexp" config directive for
mapping SASL names to DN format, plus other related features to make SASL a
lot better integrated. Check through the archives of this mailing list for
more details.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Brian Arkills
> Sent: Thursday, February 14, 2002 1:10 PM
> To: 'manig'; openldap-software@OpenLDAP.org
> Subject: RE: Newbie OpenLDAP-SASL question
>
>
> Let me begin by saying I've never setup an OpenLDAP server ...
> that said ...
>
> I believe what you are missing is not in the general admin guide
> for 2.0, but is in the draft developer's admin guide at:
> http://www.openldap.org/devel/admin/sasl.html section 9.2.3
> (which is not the same section as in the regular admin guide).
> You need to map the authentication id to an authorization id
> using the saslregex directive.
>
> I think the fact that this piece of information is only listed in
> the draft developer's guide is very problematic, and it should be
> added the the production admin guide to avoid further confusion.
>
> Brian
>
> > -----Original Message-----
> > From: manig [mailto:manig@steltor.com]
> > Sent: Thursday, February 14, 2002 11:04 AM
> > To: openldap-software@OpenLDAP.org
> > Subject: Newbie OpenLDAP-SASL question
> >
> >
> > To get directory users authenticated using SASL, I have taken the
> > following steps:
> >
> > - compile/install cyrus sasl
> > - compile/install openldap 2.0.9 with cyrus sasl support
> > - set 'require SASL' in my slapd.conf (i want to prevent any
> > other type
> > of authentication)
> > - create a sasl passwd file (/etc/sasldb) using saslpasswd(8), invoked
> > like this:
> >
> > for dn "cn=Manager,dc=example,dc=com":
> > % /usr/local/sbin/saslpasswd -c "dn:cn=Manager,dc=example,dc=com"
> >
> > At this point, running ldapsearch with -D
> > "cn=Manager,dc=example,dc=com"
> > and -W, I set the authentication id and the authzid to
> > "dn:cn=Manager,dc=example,dc=com". Running in debug mode, it
> > looks like
> > it is authenticating correctly against the sasl database,
> > however I get
> > the error:
> >
> > ldap_sasl_interactive_bind_s: Inappropriate authentication
> >         additional info: authorization disallowed
> >
> > (I believe the SASL part of authentication is going through correctly,
> > because putting in a wrong password gives me "Invalid Credentials
> > Error". Running in debug mode showed correct SASL client-server
> > communication, with a positive response from the server).
> >
> > Reading previous posts about SASL authentication, I believe what is
> > wrong here is that I am not telling the LDAP server which
> > SASL username
> > corresponds to which LDAP directory entry. Unfortunately, I couldn't
> > find any documentation on this matter.
> >
> > Thanks,
> > Mani
> >
> > --
> > /* Mani Ghasemlou, Software Developer
> >  * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
> >  * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878
> >  */
> >

Follow-Ups:
- Re: Newbie OpenLDAP-SASL question
  - From: manig <manig@steltor.com>

References:
- RE: Newbie OpenLDAP-SASL question
  - From: Brian Arkills <brian@hansolo.stanford.edu>

Prev by Date: LDAP database
Next by Date: Re: Newbie OpenLDAP-SASL question
Index(es):
- Chronological
- Thread