[Date Prev][Date Next] [Chronological] [Thread] [Top]

userPassword: Can it store SASL and unix/NSS_LDAP secrets?

Hi all,

I'm trying to make my directory a one-stop shop for all authentication.
It is possible for the LDAP directory to manage SASL secrets for access to the directory
and a separate password for access to UNIX systems using nsswitch NSS_LDAP?

Hope you can clarify my understanding of in-directory SASL secrets; it goes
something like this (please please jump in and correct me):

For UNIX logons you need like

userPassword:  {crypt}XXXXXXXXXXXXXXX

and configure nsswitch.conf to use nss_ldap for logon.
This gets reused for LDAP simple auth and SASL plain, right?
(Can you tell them to use another attribute if I don't want to
overload this attr?)

(BTW OpenLDAP provides a callback to SASL2 so that the PLAIN
mechanism always checks in-directory secrets; this confused me
because it wouldn't use sasldb2. Right? What's even more confusing
is the the DIGEST-MD5 mechanism doesn't use the callback and needs
further configuring. I respectfully suggest that the admin guide on SASL
needs to include lots of examples of /etc/openldap/slapd.conf
and /usr/lib/sasl2/slapd.conf.)

For in-directory SASL secrets you need

In /usr/lib/sasl2/slapd.conf
[Is this correct? The documentation is not very clear here]
pwcheck_method: auxprop
auxprop_plugin: slapd

and in the directory itself

userPassword: {cleartext}mydigestmd5secret

So is it possible to manage *both* secrets at the same time.
Like a
userPassword_for_UNIX and a

Cheers Richard