[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch and sasl

James Wilde wrote:

I thought my sasl lines in slapd.conf were intended to translate the dn
to sasl format and the sasl user Manager@glocalnet.net exists in the
sasldb2 database, together with the same password. But it is of course
the other way round, that sasl converts user names to the dn and looks
for their password in the ldap directory.

SASL only knows about usernames. OpenLDAP / slapd converts user names into DNs and looks them up. It will also use regular usernames in sasldb2 if they exist, but that's not the preferred method.

I have been - and probably still am - a bit confused as to the role of
sasl in all this. I have been assuming that the sole role of sasl is to
encrypt the communication between client and server. I'm not at all
clear as to how many of my users I have to have in the sasl database,
but at the moment I only have Manager@glocalnet.net, that is the
equivalent of the rootdn in ldap.

The primary purpose of SASL is to perform authentication. Encryption is an optional feature, and is only supported by a subset of SASL mechanisms.

I don't know why the creators of openldap moved to sasl instead of
staying with tls/ssl. Maybe someone can explain this.

There was no "moved to instead of" to speak of. TLS/SSL are supported for encryption. SASL is supported for strong authentication. They are fairly complementary and both may be used concurrently.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support