Re: SASL External : only bind with existing dn

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Francois Beretti <francois.beretti@enatel.com> writes:

> Hello all
>
> I managed to get SASL External working,
> with certificates DNs of same form as my directory DNs
> (cn=francois,ou=people,dc=enatel,dc=local), without using
> sasl-regexp
>
> but now any user with a certificate with a dn of this form can bind to
> the directory, even if no entry matching his dn exist

it is an anonymous bind.
>
> It is normal, as I read in the doc.
> But is it a good thing ?
> I have found in the doc that by putting this in slapd.conf I can solve
> that, forcing slapd to find a matching entry in the database before
> authorizing the connection :
>
> sasl-regexp
>  cn=(.*),ou=people,dc=enatel,dc=local
>  ldap:///ou=people,dc=enatel,dc=local??sub?(cn=$1)

you don't need any regular expressions to map your certificate DN to a
directory entry.
>
> but it doesn't work
> I still can have this, while I have _no_ entry in my directory (so I
> have no user "francois") :
>
> [francois@linux-integ ssl]$ ldapsearch -Y external -ZZ
> SASL/EXTERNAL authentication started
> SASL username: CN=francois,OU=people,DC=enatel,DC=local
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> # search result
> search: 3
> result: 32 No such object
> # numResponses: 1

This is an error message, you made an anonnymous bind to read, which
you where not allowed to. A successfull read would show

# search result
search: 3
result: 0 Success

>
> I also have an error in my log :
> SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
> file or directory

You have compiled openldap with spasswd, therefor you have to create
sasldb2, wether you actually need it or not.

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com
http://www.schevolution.com/tour