[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PROBLEM: can't use SASL to authentication openldap client

Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
	My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses  the password stored in userpassword attribute of this user which is a item of openldap.
	So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.

I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
did not provide the expected response. Regardless of whether I set it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
internal slapd plugin.

I recommend you file a bug report.

File the bug with the correct people. OpenLDAP doesn't do anything in
particular with SASL configuration. If you can't get the desired behavior
by setting the SASL config file, then file a bug against Cyrus SASL.

It does! for auxprop_plugin, and auxprop_plugin only. After some digging I
found the insertion of a SASL_CB_GETOPT function which replaces whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.

It's perfectly documented in the slapd.conf man page... just never occurred
to me to look.



sasl-auxprops sasldb

within the openldap slapd.conf works for me.

My mistake. This was added last year.

http://www.openldap.org/its/index.cgi/Software Bugs?id=6147

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/