[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: DIGEST-MD5 returns 'user not found'

To: <hyc@symas.com>
Subject: RE: DIGEST-MD5 returns 'user not found'
From: lemons_terry@emc.com
Date: Tue, 3 Apr 2007 18:46:30 -0400
Cc: openldap-software@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <46115B2F.5040904@symas.com>
References: <CEC4708048E79E4CB20CDB491567EA3C0B92F3F3@mdg1ex03.g1.com> <05AADEB492F5824996D28D504686739907AF5362@CORPUSMX40A.corp.emc.com> <46114D68.6000708@symas.com> <05AADEB492F5824996D28D504686739907AF56C9@CORPUSMX40A.corp.emc.com> <46115B2F.5040904@symas.com>
Thread-index: Acd1XjNleDs+FUfJSoOgc9c/WHc+HgA401zQ
Thread-topic: DIGEST-MD5 returns 'user not found'

Thanks, Howard; I think I'm beginning to understand this.

So, the AUTHENTICATION piece is done by SASL using digest_md5, an
'external' connection to TLS, etc.  But the AUTHORIZATION piece is
handled by the rules defined in the access control policy section of
slapd.conf, right?

Thanks
tl 

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Monday, April 02, 2007 3:36 PM
To: Lemons, Terry
Cc: Kyle_Chapman@g1.com; openldap-software@openldap.org
Subject: Re: DIGEST-MD5 returns 'user not found'

lemons_terry@emc.com wrote:
> Hi Howard
> 
>> The SASL library tries all available information sources. If there
was
> a 
>> "root" user record in your sasldb2 file it would have been used.
Since 
>> your sasldblistusers2 output shows "root@tivo2" I'd say you have the 
>> wrong realm info in your database, as that doesn't match either
"root" 
>> or "root@tivo2.backup".
> 
> And that was the problem.  When I added "root@tivo2.backup" to the
sasl
> database, ldapsearch worked!  MANY thanks for this!
> 
> It's interesting (at least, to me) to note that I didn't need any of
the
> authentication identity mapping entries (as described in section
11.2.4
> of the "OpenLDAP Software 2.3 Administrator's Guide" to make this work
> (not even the "password-hash {cleartext}" entry that some resources
said
> to add).

Those config items are only needed if you intend to use entries in LDAP 
for the SASL authentication info, instead of sasldb. Generally, that is 
the best thing to do.

> So what gives this SASL mechanism the authority to perform tasks via
> LDAP?

Authentication and authorization are two separate things. When you 
configure your server to support SASL, that means you want to trust SASL

to authenticate users. Regardless of authentication mechanism, ACLs are 
used to grant authority to particular users to perform various tasks.

> Thanks!
> tl
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: DIGEST-MD5 returns 'user not found'
  - From: Howard Chu <hyc@symas.com>

References:
- RE: DIGEST-MD5 returns 'user not found'
  - From: "Chapman, Kyle" <Kyle_Chapman@G1.com>
- RE: DIGEST-MD5 returns 'user not found'
  - From: lemons_terry@emc.com
- Re: DIGEST-MD5 returns 'user not found'
  - From: Howard Chu <hyc@symas.com>
- RE: DIGEST-MD5 returns 'user not found'
  - From: lemons_terry@emc.com
- Re: DIGEST-MD5 returns 'user not found'
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ppolicy and sync replication
Next by Date: LDAP C API : Sync prtocol
Index(es):
- Chronological
- Thread