Re: EXTERNAL mech missing

[Emmanuel Dreyfus <manu@netbsd.org>]

On Mon, Dec 17, 2012 at 11:08:11AM -0600, Dan White wrote:
> You should not use the ldapdb auxprop plugin within slapd's sasl config.
> You should be using 'slapd' instead, which is the default (it's an internal
> auxprop plugin distributed with OpenLDAP).
> 
> If you are running version 2.4.17 or newer, the 'auxprop_plugin' option is
> ignored anyway

Right, I removed it, but it should not change anything. And indeed it does
not change anything.

> ># su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \
> >	-Y PLAIN -H ldaps://ldap.example.net'

> That command doesn't make sense. '-U uid=someone,dc=example,dc=net' 
> should be '-U someone' instead, 

I trired that and got the same result.

> and you should create new authz-regexp rules to map a
> sasl PLAIN identity of 'someone' to uid=someone,dc=example,dc=net.

I did this. With debug acl level, I can see that the 
uid=someone,dc=example,dc=net is tired for auth, but it fails.

> You could also do:
> su -m someone -c 'ldapwhoami -Y EXTERNAL -H ldapi:///'
> with an appropriately written authz-regexp rule. 'someone' would need unix
> file permissions to access your ldapi unix socket.

That works, but what I am looking for is to get  SASL PLAIN working over
the network with TLS. I want to use authzid. 

-- 
Emmanuel Dreyfus
manu@netbsd.org