Re: OpenLDAP as a SASL backend

["Dieter Kluenter" <dieter@dkluenter.de>]

"Zohar Lev Shani" <levshani5252@gmail.com> writes:

> I had set up a secured TLS with all the certificates and keys needed. But
> still, I cannot login using SASL and PLAIN/LOGIN mechanisms over TLS. The user
> in the example has the userPassword hashed in MD5. See errors below:
>
>>ldapsearch -h localhost:9999 -Y PLAIN -w pass1 -U user1 -b dc=my-domain,dc=
> com -s base -ZZ
> SASL/PLAIN authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): user not found: Password verification
> failed
>
>>ldapsearch -h localhost:9999 -Y LOGIN -w pass1 -U user1 -b dc=my-domain,dc=
> com -s base -ZZ
> SASL/LOGIN authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): user not found: checkpass failed
>
> Using cleartext password solves the problem but this is not what I am trying
> to do.
> Just a reminder of what I am trying to achieve: In the database I want the
> userPassword field to be hashed and the bind authentication will be against it
> using the authz-regexp directive in slapd.conf. Using DIGEST-MD5 SASL doesn't
> help here because the userPassword needs to be in cleartext in the database.

Any sasl mechanism, except external, requires cleartext password.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6