[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems Enabling Authentication using Cyrus SASL

Fernando Torrez <fernando_torrez@hotmail.com> writes:

> Hi all
> Thanks for all your suggestions
>    I tried the suggested command (thanks Moorthi):
>                   ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I
> with no success. I got this error:
> firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I
> SASL/DIGEST-MD5 authentication started
> SASL Interaction
> Default: u:test
> Please enter your authorization name: test
> Default: proxyuser
> Please enter your authentication name: proxyuser
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: unable
> authorization ID
> (Logs are at the bottom of this mail for details)
> I also realized that the logs changed almost nothing either the command below
> is running or not:
>             saslauthd -d -V -a ldap -r -O /etc/saslauthd.conf
> so I can say that unfortunately there's no comunication between SASLAUTHD and
> Now I will try the suggestion to separate saslauthd and ldapdb (thanks Dieter)
> But I'm still wondering if there's a way to work ldap server and cyrus-sasl
> together. Let's be more accuratte
> 1.-  Connect to ldap server throught cyrus-sasl (let's say authenticated/
> authorized proxyuser connected to ldap server)
> 2.-  Once connected to the ldap server, authenticate/authorize other user (or
> any object ) saved on ldap server using previous connection done in step 1
> Is that posible? Or, Am I driving crazy for nothing?

Is there any particular reason to include an external identiy provider
deamon like saslauthd?
Why don't you just use build in sasl functions? As I already

1. create plaintext userPasswords,
2. configure authz-regexp to map sasl authentication string to an
   entry, (man slapd.conf(5))
3. add to /etc/sasl2/slapd.conf 'auxprop_plugin: slapd'
4. test whith ldapwhoami

If you want additonal proxy authentication
1. add a auth-policy to slapd.conf
2. add authzTo attribute and appropriate value to a proxy user entry,
3. test with ldapwhoami -X u:<proxy-user> -U <user> -Y <mechanism>


Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de