[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mapping through SASL does not work

To: <torsten_openldap-software@gcrud.org>
Subject: RE: Mapping through SASL does not work
From: "Al Pacifico" <pacifico@drizzle.com>
Date: Mon, 20 Jun 2005 13:01:52 -0700
Cc: <OpenLDAP-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <10812.136.2.1.101.1119283993.squirrel@webmail.paiwastoon.com.af>

Torsten-
Please see the responses to my post about a month ago:

	http://www.openldap.org/lists/openldap-software/200506/msg00023.html
and
	http://www.openldap.org/lists/openldap-software/200506/msg00022.html

I did not understand that the context of uid is in sasl. Hallvard B Furuseth
wrote in his response:

"The "username" from SASL is a SASL identity, not an LDAP attribute.
OpenLDAP puts it UID in the bind DN, but you can use sasl-regexp to
change that." That was key information.

You configure slapd to map what the user enters for a name (his/her email
address in my case) to a DN.

My slapd.conf contains:
	password-hash   {CLEARTEXT}
	sasl-regexp
      	  uid=(.*),cn=powell,cn=DIGEST-MD5,cn=auth
      	  ldap:///ou=people,dc=example,dc=com??sub?(mail=$1)
and it works very well.

(Ignore my follow-up posts to that thread; I was led astray by misconfigured
access control list.)

Hope this helps.
-al 

Al Pacifico
Seattle, WA

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of
torsten_openldap-software@gcrud.org
Sent: Monday, June 20, 2005 8:13 AM
To: openldap-software@OpenLDAP.org
Subject: Mapping through SASL does not work

Hi all,

I am refering to

http://www.openldap.org/doc/admin23/sasl.html#SASL%20Authentication

It says:

[QUOTE]

11.2.4. Mapping Authentication Identities

The authentication mechanism in the slapd server will use SASL library
calls to obtain the authenticated user's "username", based on whatever
underlying authentication mechanism was used. This username is in the
namespace of the authentication mechanism, and not in the normal LDAP
namespace. As stated in the sections above, that username is reformatted
into an authentication request DN of the form

        uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth

or

        uid=<username>,cn=<mechanism>,cn=auth

depending on whether or not <mechanism> employs the concept of "realms".
Note also that the realm part will be omitted if the default realm was
used in the authentication.

[/QUOTE]

Wouldn't this mean in other words that if I do not configure anything
special (basically using the example configuration file for slapd.conf
that comes with the distribution) and I would try to login as "foo" it
should go and search for an entry with the DN uid=foo,cn=XXX,cn=auth in
the database?

Instead I get an error message that binding is not even tried because
"foo" is not a syntactically correct DN.

What did I miss?

Regards,
Torsten

References:
- Mapping through SASL does not work
  - From: torsten_openldap-software@gcrud.org

Prev by Date: Re: Many 'Can't contact LDAP server' errors
Next by Date: Re: Future of OL 2.2 [auf Viren überprüft]
Index(es):
- Chronological
- Thread