[Date Prev][Date Next]
Re: EXTERNAL mech missing
On Mon, Dec 17, 2012 at 11:08:11AM -0600, Dan White wrote:
> You should not use the ldapdb auxprop plugin within slapd's sasl config.
> You should be using 'slapd' instead, which is the default (it's an internal
> auxprop plugin distributed with OpenLDAP).
> If you are running version 2.4.17 or newer, the 'auxprop_plugin' option is
> ignored anyway
Right, I removed it, but it should not change anything. And indeed it does
not change anything.
> ># su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \
> > -Y PLAIN -H ldaps://ldap.example.net'
> That command doesn't make sense. '-U uid=someone,dc=example,dc=net'
> should be '-U someone' instead,
I trired that and got the same result.
> and you should create new authz-regexp rules to map a
> sasl PLAIN identity of 'someone' to uid=someone,dc=example,dc=net.
I did this. With debug acl level, I can see that the
uid=someone,dc=example,dc=net is tired for auth, but it fails.
> You could also do:
> su -m someone -c 'ldapwhoami -Y EXTERNAL -H ldapi:///'
> with an appropriately written authz-regexp rule. 'someone' would need unix
> file permissions to access your ldapi unix socket.
That works, but what I am looking for is to get SASL PLAIN working over
the network with TLS. I want to use authzid.