RE: Openldap 2.2.4 SASL Proxy auth

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw

> 1: It would be "nice" if I could configure both Openldap versions
> separately. But I can't write a sasl-regexp for the the 2.2.4 instance
> that refers to port 9001. This works:
>
> sasl-regexp uid=(.*),cn=digest-md5,cn=auth
>    "ldaps:///dc=billy,dc=demon,dc=nl??sub?uid=$1"
>
> This doesn't:
>
> sasl-regexp uid=(.*),cn=digest-md5,cn=auth
>    "ldaps://localhost:9001/dc=billy,dc=demon,dc=nl??sub?uid=$1"
>
> Is there any way of referring the regex to port 9001?

Please notice that sasl-regexp is documented to perform internal searches.
The scheme and host part of the URI are ignored, they are merely left in
place to conform to the URI syntax definition. In 2.2 the regexp's are
rejected if the host part is non-empty. They were silently ignored in 2.1.

> At the moment, the
> 2.2.4 instance running on port 9001 is going to the 2.1.25 instance
> *over ldapi* (that's what I have in ldap.conf) for
> authorization, which
> is not what I want :) I'm running the 2.2.4 daemon from a
> Xterm console
> at log level 7. I can see all this from the 2 separate log instances.

Make sure slapd is not configured to use libldapdb. As the README says, slapd
should never be configured with libldapdb. In a default configuration, what
you describe can not happen.

Ando can probably answer your question #2, I don't recall off the top of my
head.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support