[Date Prev][Date Next]
RE: Mapping through SASL does not work
Please see the responses to my post about a month ago:
I did not understand that the context of uid is in sasl. Hallvard B Furuseth
wrote in his response:
"The "username" from SASL is a SASL identity, not an LDAP attribute.
OpenLDAP puts it UID in the bind DN, but you can use sasl-regexp to
change that." That was key information.
You configure slapd to map what the user enters for a name (his/her email
address in my case) to a DN.
My slapd.conf contains:
and it works very well.
(Ignore my follow-up posts to that thread; I was led astray by misconfigured
access control list.)
Hope this helps.
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of
Sent: Monday, June 20, 2005 8:13 AM
Subject: Mapping through SASL does not work
I am refering to
11.2.4. Mapping Authentication Identities
The authentication mechanism in the slapd server will use SASL library
calls to obtain the authenticated user's "username", based on whatever
underlying authentication mechanism was used. This username is in the
namespace of the authentication mechanism, and not in the normal LDAP
namespace. As stated in the sections above, that username is reformatted
into an authentication request DN of the form
depending on whether or not <mechanism> employs the concept of "realms".
Note also that the realm part will be omitted if the default realm was
used in the authentication.
Wouldn't this mean in other words that if I do not configure anything
special (basically using the example configuration file for slapd.conf
that comes with the distribution) and I would try to login as "foo" it
should go and search for an entry with the DN uid=foo,cn=XXX,cn=auth in
Instead I get an error message that binding is not even tried because
"foo" is not a syntactically correct DN.
What did I miss?