[Date Prev][Date Next] [Chronological] [Thread] [Top]


> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw

> Igor Brezac wrote:

> > The ldapdb auxprop plugin has to use PLAIN and DIGEST-MD5, however
> > 1.4 can use CRAM-MD5 or any other mech offered by the imap (?) server.
> >
> > Mozilla ---CRAM-MD5---> imapd --> ldapdb ---DIGEST-MD5---> slapd
> Yuk!! Mozilla Messenger's brain-dead enough as it is. ldapdb (2.1.22)
> works o.k., even with Openldap 2.1.23 and I use that for CRAM
> smtp AUTH
> direct to Postfix 2.0.16 snapshot. Messenger insists on CRAM if it's
> advertised.

> The 2.1.23 ldapdb auxprop doesn't allow CRAM, though (insists on SASL
> proxy authorization). I'm happy though, I'm rid of the SASL 2.1.13 bugs
> in a very elegant way (thanks Howard :)

You're welcome. Unfortunately, it appears I missed something in merging the
CVS version into 2.1.23. You should probably stick with the 2.1.22 ldapdb.c
for now, will have to fix this in 2.1.24.

Also in this otherwise excellent summary:

>in your /etc/openldap/slapd.conf file put this in.
>--- slapd.conf
>sasl-authz-policy to
>     uid=(.*),cn=digest-md5,cn=auth
>     uid=$1,ou=people,o=mydomain,c=us
>     uid=(.*),cn=(.*),cn=digest-md5,cn=auth
>     uid=$1,ou=People,o=mydomain,c=us
>the first command (sasl-authz-policy) tells openldap to allow proxy
>the sasl-regexp lines map the SASL DN to the real user DN in your
>directory. (the first is a username w/o a realm, the second with a

The sasl-regexp statements are in the wrong order. The statements are matched
in the order that they're listed in slapd.conf. You must put the most
specific statement first, otherwise it will never be used. This is already
stated in the documentation, yet it seems that everyone overlooks it.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support