[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to configure openLDAP with SASL Digest-MD5

man, 09.02.2004 kl. 09.33 skrev Lara Adianto:

> I have openLDAP-2.1.25 with simple authentication
> (without SSL/TLS) works fine on my machine RedHat
> Linux 9.0 kernel 2.4.20-8.

*Thanks* (sigh of relief) for giving OS and distro details :) I don't
have to slag you off or ignore you ...

> I'm now trying to incorporate the SASL Digest-MD5
> authentication on it. I have followed the 'SASL
> Configuration: Digest-MD5' guide from LDAP Linux HOWTO
> but still can't get it right.

To begin with, setting up SASL with Openldap 2.1/2.2 is a wretch. After
a while, you get used to the train of thought, and it becomes second
nature. Though it becomes worse when you have to arrange for a Cyrus
SASL auxprop *proxy* SASL user - for Postfix smtp AUTH, for example.


> While the server is installed with the following
> configuration:
> # CPPFLAGS="-I/usr/local/include"
> LDFLAGS="-L/usr/local/lib" ./configure --prefix=/usr
> --libexecdir=/usr/sbin --sysconfdir=/etc
> --localstatedir=/var/run --enable-debug --disable-ipv6
> --with-cyrus-sasl --without-kerberos --without-tls
> --enable-crypt --enable-passwd --enable-ldbm

This is your privilege. If I'm compiling anything that might conflict
with standard Ma RedHat, it goes into /usr/local, will he, nil he. Then
I can point specific compiles at my own stuff, without conflicting with

> I have successfully created the sasl user database
> using 'saslpasswd2 -c admin' command.

The point about Openldap 2.1 SASL is, that you don't make any use of the
Cyrus saslauthd or saslpasswd?. Everything is done within Openldap.


> sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth
> uid=$1,ou=People,o=Ever

Don't look right to me. If you want DIGEST-MD5, try:

sasl-regexp uid=(.*),cn=digest-md5,cn=auth

Why? Because that's the standard way of Openldap SASL mapping. And that
way, you short-circuit the whole extraneous Cyrus SASL authentication
mechanism, whilst still using the SASL2 libraries.

Mind you, you could adapt your original regexp, but the problem is then,
that you won't find many people who do things that way. Moreover, it
will really fsck up your thought processes when you discover what
saslAuthzTo and saslAuthzFrom are all about. Especially with Openldap
2.2, which IMHO you should now be looking at, instead of 2.1. But then
again, that's your privilege ;)

> --------------------------------------------------------------------- 
> Believe in miracles, but don't depend upon them 
> ----------------------------------------------------------------------



I wish that mailing-list people would stop CC'ing me.
Chances (95%) are that if they do, the CC will never
make it, anyway.

mail: billy - at - billy.demon.nl