[Date Prev][Date Next] [Chronological] [Thread] [Top]

R: How the password stored in SASL db can be related to the userPassword attribute of an entry of the directory?



Hi Howard,

I followed your suggestion but that's what I got after running ldapsearch

1.
[root@LDAPMaster etc]# ldapsearch -Y digest-md5 -b "o=Organization" -D
"uid=CO,ou=Operator,o=Organization"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: client response
doesn't match what we generated

2.
[root@LDAPMaster etc]# ldapsearch -Y digest-md5  -D
"uid=CO,cn=digest-md5,cn=auth"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: client response
doesn't match what we generated

In 1. and 2. I inserted CO_PWD as password-string according to my ldif file
which ontains the following entry :
dn: uid=CO, ou=Operator, o=Organization
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Organization Commander
sn: CO
uid: CO
userPassword: CO_PWD
displayName: commander
description: Organization commander

So, what's wrong ?

How can I use the secret stored in LDAP directory intead of using secret
stored in sasl db?

Many thanks for your attention.

Giampaolo




-----Messaggio originale-----
Da: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]
Inviato: giovedì 8 aprile 2004 15.34
A: owner-openldap-software@OpenLDAP.org; openldap-software@OpenLDAP.org
Oggetto: RE: How the password stored in SASL db can be related to the
userPassword attribute of an entry of the directory?


http://www.openldap.org/doc/admin22/sasl.html

Quoting from the above page, section 10.2.3:

>>>
To use secrets stored in the LDAP directory, place plaintext passwords in
the userPassword attribute. It will be necessary to add an option to
slapd.conf to make sure that passwords changed through LDAP are stored in
plaintext:

       password-hash   {CLEARTEXT}

Passwords stored in this way can be managed either with ldappasswd or by
simply modifying the userPassword attribute
<<<

Set the userPassword attribute to the user's password. That's all.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

>  -----Original Message-----
> From: 	owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] 
> Sent:	Thursday, April 08, 2004 5:56 AM
> To:	openldap-software@OpenLDAP.org
> Subject:	How the password stored in SASL db can be related to the
userPassword attribute of an entry of the directory?
> 
> Hello everyone,
> 
> first I would like to say thankyou to Haward Chu because the Replication
problems via digest-md5 are resolved and my system works very well!!
> 
> Now I have a new issue to solve. How can I syncronize both the passwords
stored in the SASL db and in the Berkley db (bdb). I would like to refer to
a unique password for a user. I would like to modify the userpassword of
both the db with ldapmodify. I would like that this modification could be
propagate from the master to the slave via digest-md5 replication. Should I
put some new instruction into ldif file or what else? 
> I tried userPassword: {SASL} in my ldif file but it didn't work.
> Manual says that with cyrus-sasl 2.1 it is possible to store sasl secret
in the ldap directory. But it doesn't say how!
> 
> Again, I need help.
> 
> Anybody know the problem ?
> 
> Many thanks.
> 
> Giampaolo
> 
> 
> 
> _______________________________
> Giampaolo Rossi
> DATAMAT S.p.A.
> Defence Space & Environment Division
> Via Laurentina 760
> 00143   Rome  (Italy)
> Tel.   +39 065027.2571
> Fax.  +39 065027.2125
> 
> http://www.datamat.it
> 
>  
> 
> 

<<attachment: winmail.dat>>