[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapauth - requires SASL support?

To: openldap-software@openldap.org
Subject: slapauth - requires SASL support?
From: Brad T Waldorf <bwaldorf@us.ibm.com>
Date: Tue, 17 Jun 2008 13:43:52 -0400

Hi

Sorry again if this is the wrong place for OpenLDAP questions.  I've got a
question about slapauth...


We don't have SASL support enabled.  The immediate question is... does
slapauth require SASL support?  (I've seen a bunch of SASL references in my
quest to find some slapauth examples on the web.)


So here's the only slapauth example i've been able to find
(repeatedly) ....

 The command

                 /usr/local/sbin/slapauth
-f //usr/local/etc/openldap/slapd.conf -v \
                            -U bjorn -X u:bjensen

       tests whether the user bjorn  can  assume  the  identity  of  the
user
       bjensen provided the directives

                 authz-policy from
                 authz-regexp "^uid=([^,]+).*,cn=auth$"
                          "ldap:///dc=example,dc=net??sub?uid=$1";

       are defined in slapd.conf(5).



I've read the authz-policy and authz-regexp descriptions in the slapd.conf
man page, but i'm relatively new to OpenLDAP, and admittedly don't
understand much of those descriptions.


I've been trying the following command, which i think should yield a
successful authorization, but the authorization fails.

/usr/local/sbin/slapauth -v -f /usr/local/etc/openldap/slapd.conf -U
"cn=BDB1man,o=BDB1" -X u:"cn=John Thayer,o=BDB1"
bdb_monitor_open: monitoring disabled; configure monitor database to enable
<= bdb_equality_candidates: (objectClass) not indexed
<= bdb_equality_candidates: (objectClass) not indexed
ID:      <cn=BDB1man,o=BDB1>
authcDN: <uid=cn\3Dbdb1man\2Co\3Dbdb1,cn=auth>
authzDN: <uid=cn\3Djohn thayer\2Co\3Dbdb1,cn=auth>
authorization failed


"cn=BDB1man,o=BDB1" is my rootdn, and "cn=John Thayer,o=BDB1" is an entry
in the o=BDB1 tree.:



My database declaration in slapd.conf is as follows...

database    bdb
suffix		"o=BDB1"
rootdn      "cn=BDB1man,o=BDB1"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw            plop
timelimit      1
idletimeout    4
# The userPassword attribute is writeable by the entry itself and
# "StoogeAdmin". It may be used for authentication purposes, but
# is otherwise not readable
access to attrs=userPassword
      by self write
      by anonymous auth
      by dn.base="cn=BDB1man,o=BDB1" write
      by * none
# All other attributes are writeable by the entry itself and
# "StoogeAdmin", and may be read by all users
access to *
      by self write
      by dn.base="cn=BDB1man,o=BDB1" write
      by * read
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/usr/local/var/openldap-data
# Indices to maintain
index sn,mail,uid,title eq


So since i allow "cn=BDB1man,o=BDB1" write access to everything, i was
thinking he should be able to assume the identity of "cn=John
Thayer,o=BDB1", and the slapauth authorization should be allowed.


But if slapauth requires SASL support, then this whole thing is easily
explained.  (that would be why the authorization is failing right?)



Thanks in advance for your help!

Prev by Date: Fw: Referral - not chased - working as designed?
Next by Date: Re: managing OpenLDAP / back-config
Index(es):
- Chronological
- Thread