[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthzTo check returning 48 SASL [conn=154] Failure: not authorized

Hi all,

Thanks for your input. I compiled and installed openldap-2.1.30 and changed the uid admin from saslAuthzTo: dn.regex:uid=.*,ou=people,dc=cpc to ldap:///ou=people,dc=cpc??sub?(objectclass=Person) (as in doco http://www.billy.demon.nl/ ) and it works. To be honest I didn't/don't really understand how it works and why it wasn't working from the replies below but I am happy anyway.



I'll give this a subject line (which I forgot to do when I first started this) so other people can find it easier.

From: Pierangelo Masarati <ando@sys-net.it>
To: Ben Booble <oneoutof100@hotmail.com>
CC: OpenLDAP-software@OpenLDAP.org
Subject: Re:
Date: Sat, 01 May 2004 11:39:33 +0200

Ben Booble wrote:

Hi List,
I have been going through the very good http://www.billy.demon.nl/ guide for postfix sasl ldap howto but have run into a problem.

I am running openldap-2.1.25, cryus-sasl-2.1.17, redhat ES3. I have compiled and install ldapdb.c according to the readme. In the guide mentioned above to test the success of the installation you submit this command..

ldapwhoami -Y digest-md5 -U proxyuser -X u:username -H ldap://servername

and the result should be dn:uid=username,ou=people,dc=... showing you can authenticate as the username.
I gather it is something to do with either ACLs or if not that something else. Can someone please look at below and give me a pointer?

My result is: ldap_sasl_interactive_bind_s: Insufficient access (50)

additional info: SASL(-14): authorization failure: not authorized


slap_parseURI: parsing dn.regex:uid=.*,ou=people,dc=cpc

dnNormalize: <dn.regex:uid=.*,ou=people,dc=cpc>

This part of the log is straightforward: slapd is trying to DN-normalize
the string "dn.regex:uid=.*,ou=people,dc=cpc", which of course is not a legal
DN. Note that the "dn.regex" syntax was added to 2.2, but is not yet present
in 2.1; I don't know what documentation you're referring to, but the syntax
of saslAuthz{to|From} attributes has been detailed (with reference to <dnstyles>)
only in 2.2 slapd.conf(5) man page. See


for details.


The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail