[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client

	This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client. 

So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?

-----Original Message-----
From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of Dieter Kluenter
Sent: Wednesday, June 23, 2010 3:33 AM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client


"LI Ji D" <Ji.d.Li@alcatel-lucent.com> writes:

> Hi,
> I tried again with following steps:

> dn: uid=admin,ou=People,o=Ever
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
> 4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
> 5. ./ldapsearch -U admin -Y DIGEST-MD5


You have the attribute value for userPassword hashed with SHA, that is
the password hash has a length of 32bit,
SASL requires plain text password in order to create a challange, a
challange based on a 32bit string is different from a challange based
on a plain text password string.


Dieter Klünter | Systemberatung
sip: +49.40.20932173