[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Woes

To: tj@defendem.com
Subject: Re: SASL Woes
From: Tim Murphy <tmurphy@micromuse.com>
Date: Sat, 30 Mar 2002 19:32:15 +0000
Cc: openldap-software@OpenLDAP.org
References: <Pine.LNX.4.44.0203281840540.13751-100000@crossroad.rrvc.defendem.com>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.9+) Gecko/20020315

Hi,

The horrible thing is that you can't get a secret because you haven't supplied a SASL username.

Yes, the server should map your bind DN ("cn=bougyman,dc=mycompany,dc=com") onto a SASL username and use that for lookup but . . . it doesn't as of version 2.0.23. This means that it has no idea who to look up in the SASL database.

you need to supply the  -U "mysaslname" and -R "myrealm" parameters.

"What! This makes ACLs etc almost impossible - how can it be true?"

Yes, and I don't know. There is a saslRegexp command listed in the admin guide that is supposed to bring in this mapping but it doesn't work. The latest CVS for SASL has this fixed.

Regards,

Tim


TJ Vanderpoel wrote:

I've been tasked to get our directory services authenticating via a
biometric mechanism that only supports radius.  In searching this
list, it seems using PAM as a bridge to the radius server is the
only option, which means utilizing SASL.  After about 10 recompiles, i
found my problem with sasl (the /etc/sasldb file didn't exist), but i'm
still unable to get slapd to successfully authenticate with sasl.
using: ldapsearch -O none -D "cn=bougyman,dc=mycompany,dc=com"
i get
ldap_sasl_bind_s: Unknown error
 additional info: unable to get users secret
using: ldapsearch -O none -D "cn=bougyman,dc=mycompany,dc=com" -Y plain
i just get
ldap_sasl_bind_s: Unknown error
I tried something from the mailing list in my ldif of:
userpassword: {SASL}tjvanderp
but that didn't seem to work, it just encrypted that string and that's
what looks to be stored in userpassword for uid bougyman.
I have created the user secret using saslpasswd for both tjvanderp and
bougyman, so even if radius auth weren't working, sasldb authentication
should work, no?  What am I missing?
I"m lost on where to go from here, must've read 30 sasl threads on here
so far, none of them seem to be the howto I need.  Any help or pointer
to good documentation would be appreciated.

TJ Vanderpoel, GCIA GCIH
tj@defendem.com

References:
- SASL Woes
  - From: TJ Vanderpoel <tj@defendem.com>

Prev by Date: Re: top level design - Posix groups for rights ?
Next by Date: Re: top level design - Posix groups for rights ?
Index(es):
- Chronological
- Thread