[Date Prev][Date Next]
Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
Thank you for your information.
First of all, It is not important to use realm
if ldap server could identify ldap_user@copnay_a.com and ldap_user@company_b.net
And your idea looks good. I'll check later.
and I'll report later.
1, My goal is to build ldap server like the following.
* Store multiple companies information in one ldap server.
* Secure authentication (SASL/Kerberos, or SASL/Digest-MD5)
* High availability SASL database.
sasldb is just file,
I would like to share user info with multiple machines.
2, My Plan
* LDAP DIT
# user DIT in company a
# user DIT in company B
* Secure Auth
Plan1) SASL(Digest-MD5 Authentication)
user info : Store MySQL database
identify company_a user and company_b user with realm.
Plan2) SASL(GSSAPI Authentication)
not test yet.
Thank you in your advice.
2011/2/17 Dan White <email@example.com>:
> On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
>> Thank you Dan.
>> I simplified test environment. (see below)
>> * Problem summary
>> Does anybody succeed to setup SASL(digest-md5) authentication with
>> mysql database and latest openldap-server??
>> I'm not sure, why this configuration does not work correctly.
>> and It seems that LDAP server compare dn and input password in ldap
>> authentication. (see log below)
>> To: Dan
>>> This isn't matching what's showing up in your logs. slapd is internally
>>> canonicalizing the realm as 'cn=mydomain,dc=com' and not
>> Is this true??
>> I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
> In your original post, you specified this command:
> ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U
> ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
> -LLL '(objectclass=*)'
> Did you specify '-R mydomain.com' in all the other examples?
> I'm getting a little confused with which realm value we're talking about.
> See the sasl_server_new(3) man page for a discussion of what sasl-host
> (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd
> config. I don't know what effect, if any, setting either value will have
> when using the digest-md5 mechanism.
> In fact, in might simply things to drop the sasl realm (-R) altogether and
> capture the domain in the authentication identity (-U
> firstname.lastname@example.org), if your environment supports it.
>> # sasl-realm mydomain.com
> Another way to approach this (without using realms):
> (and yes, I just broke my own rule about .*)
> Dan White