[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication with open ldap



JOYDEEP wrote, on 13. mar 2007 09:13:

[...]

1> I have executed "saslpasswd2  admin" to create the user admin in the
sasldb2

2> "sasldblistusers2"   shows as below

                     admin@linux.kolkatainfoservices.in: userPassword

3> now the command *ldapsearch -H ldaps://* when asks the password I
gave the admin password stored in sasldb2.
  and now it is working.

[...]

5> BUT when I added entry for Manager ( as per root dn) and provide the
password of manager it is not working.
even it is not working for any other uesrs which I have added in
sasldb2.


How can I fix the problem ?

PS: here is my ldif as attachment

I don't see any entry for admin in the ldif. 4 things are important:

1: There has to be a section for SASL mapping rules in slapd.conf/cn=config hierarchy as detailed in the admin guide 11.2.6. Something like:

sasl-regexp uid=(.*),cn=digest-md5,cn=auth
  "ldap:///dc=example,dc=com??sub?uid=$1";
What does yours look like?

2: If you want to proxy authorizations using admin (for example), you have to have an admin user in your directory tree (can be anywhere) and you have to give him proxy authorization (saslAuthzTo) as stated in the admin guide 11.3.3 - this will show up in an ldif of his record something like:

dn: cn=admin,dc=example,dc=com
changetype: modify
add: saslAuthzTo
saslAuthzTo: dn.regex:cn=.*,dc=example,dc=com

3; Your ACLs should give the proxy user enough rights to read user passwords and whatever attributes necessary.

4: Using the logs are ok, but the way to test your configuration out is with ldapwhoami (man 1 ldapwhoami). If your setup doesn't work with ldapwhoami it's not right.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl