[Date Prev][Date Next]
Re: Got error while enabling SASL
On 02/07/12 11:01 +0530, Gaurav Gugnani wrote:
Thks to all for helping me out. i hope now the destination is not too far
as i achieved the SASL but it is storing using sasldb.
However, i want it to store information in ldap direcotry.
I've installed the corresponding package:
Steps for SASL in LDAP using sasldb
1> saslpasswd2 -c sasluser14
I can't stress enough that these commands are going to confuse you when
using slapd. There really are only a few advanced uses for using these
commands in your desired environment.
3> service ldap stop
4> vi etc/openldap/slapd.conf
This is the wrong thing to do. You should remove this option if you wish to
have slapd use userPassword to authenticate your users. By specifying
sasldb here, you're instructing slapd, by way of libsasl2, to authenticate
your users against /etc/sasldb2.
would also be the wrong thing to do. In addition to 'sasldb' and 'ldapdb',
slapd implements it's own auxprop plugin called 'slapd' which is the
default, and which Does the Right Thing (TM). However, be aware that
'slapd' will not show up in the output of pluginviewer (or at least I'm not
aware of a way to make it do so).
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
- Give proper ACL to sasluser14
5> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
Again this is the wrong thing to do. In recent versions of slapd this value
is overridden by 'sasl-auxprops'.
You should uncomment this, if using older versions of slapd. Few newer
versions of slapd, 'sasl-auxprops' defaults to slapd.
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
CRAM-MD5 and DIGEST-MD5 are fine here. If you really want to use PLAIN and
LOGIN, specify a relaxed 'sasl-secprops' within your slapd configuration.
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif
# TEST Account for SASL:
description: Special account for SASL Testing
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b
But now the problem is - it is storing the users in sasldb. and we want to
use ldap directory.
Can any one please suggest - What changes i need to make to achieve it?
On 02/07/12 16:43 +0530, Gaurav Gugnani wrote:
i was working on this problem and figured out that ldapdb plugin auxprop is
Installed SASL (server side) mechanisms are:
CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL
Installed auxprop mechanisms are:
List of auxprop plugins follows
Plugin "sasldb" , API version: 4
supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled.
ldapdb should only be used from outside of slapd. For instance, if you were
running a mail server that you wish to authenticate against slapd, then
ldapdb would be appropriate.