Hello Dan,
Thks a lot for making things worked.
I'm jotting down the steps which i executed to make SASL work:
*Steps to make SASL configuration working:*
---------------------------------------------------------------------
1> Install the following packages:
- cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm
- cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
2> Create sasl2/slapd.conf
vi /usr/lib64/sasl2/slapd.conf
[root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
3> Modify $LDAP_HOME/etc/openladp/slapd.conf
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
#ACL
access to attrs="userpassword"
by anonymous auth
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to dn.base="o=xyz"
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=serviceusr,ou=System,o=xyz" read
by dn="uid=monitorusr,ou=System,o=xyz" read
by dn="uid=replicator,ou=System,o=xyz" read
by users read
access to dn.subtree="ou=Subscribers,o=xyz"
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=serviceusr,ou=System,o=xyz" write
by dn="uid=monitorusr,ou=System,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to dn.subtree="ou=System,o=xyz"
by anonymous auth
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to *
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
On execution of command:
ldapsearch -Y DIGEST-MD5 -U serviceusr -b
'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'
Its clearly displaying in the log:
.....
*conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128
do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs"
sasl_ssf=128*
.....
Now, i wanted to confirm is these are the only steps Or Am i missing
something?
How do i confirm that SASL has been enabled and its working fine?
Plz provide some input on this.
Thanks and Regards,
Gaurav Gugnani
On Thu, Feb 9, 2012 at 1:48 AM, Dan White <dwhite@olp.net
<mailto:dwhite@olp.net>> wrote:
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote:
Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
As i gave:
access to dn.subtree="ou=System,o=xyz"
by dn="uid=sasluser21,ou=System,__o=xyz" read
by anonymous auth
*So, will giving anonymous privilege any issue? *
I read following:
Next is by anonymous auth. This phrase grants an anonymous user
(one who
has not yet authenticated) permission to authenticate using a
password.
More accurately, it indicates that when a user submits a request for
authentication, the directory server is allowed to perform an
authentication operation (which amounts to comparing the
submitted password
with the value in the userPassword attribute for the
corresponding user's
entry).
What is its impact, Please put some light on it?
Chapter 8 of the OpenLDAP Administrator's Guide has more explanation.
--
Dan White