[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

To: Dan White <dwhite@olp.net>
Subject: Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
From: Hiroyuki Sato <hiroysato@gmail.com>
Date: Thu, 17 Feb 2011 15:24:06 +0900
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9u7egckLNcrGpQxR7+0cVNKSGTnzAagFYRmFAJuLtVo=; b=VnObuqC8ffm/xI4PqhOkVTww/RPeSMsZMPpo8RMd3YToyMBt+JfAwr8TGnd+tZOmK2 0xu4Tc5cliC3D40It8wUIwPmeVa9gZWWf7cnPKVolfEb8j6qeUKDCQfU5rWUEIybSCPc rE7hVhWZshhQ7B3Ox/J5j9zXywDRVVL/W8gZw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=eYFWHKACVM81KKc1/wMMQwfQvlXeEcGYqTQqwHHyMsFpOotMMomUMBx6MuD8ulq9QY EZ4udxF8Wm6LFRE8AwMOka6d/swUVxzci5BNtyJEoyAqiDqOmKw4oA4TAbcOXaJWqR0s 8N4AyuVVxFNaQUnr0w/PvxTTaAOJRfYIVwCmo=
In-reply-to: <20110217033850.GA3919@dan.olp.net>
References: <AANLkTi=DGG7mgHSus-2s4QSPL=PLqnjLC_PAd_6fYyF_@mail.gmail.com> <20110214194400.GG5057@dan.olp.net> <AANLkTim+LLVn+Qn1KB0shGWdvS-AyGy4sORJWui8bFFw@mail.gmail.com> <20110217033850.GA3919@dan.olp.net>

Hi Dan.

Thank you for your information.

First of all, It is not important to use realm
if ldap server could identify ldap_user@copnay_a.com and ldap_user@company_b.net

And your idea looks good. I'll check later.

and I'll report later.


1, My goal is to build ldap server like the following.

  * Store multiple companies information in one ldap server.
  * Secure authentication (SASL/Kerberos, or SASL/Digest-MD5)
  * High availability SASL database.
    sasldb is just file,
    I would like to share user info with multiple machines.

2, My Plan

  * LDAP DIT

    ou=users,ou=company_a.com,dc=mydomain,dc=com
      # user DIT in company a

    ou=users,ou=company_b.net,dc=mydomain,dc=com
      # user DIT in company B

  * Secure Auth

    Plan1) SASL(Digest-MD5 Authentication)
      user info : Store MySQL database

      identify company_a user and company_b user with realm.

    Plan2) SASL(GSSAPI Authentication)
    not test yet.

Thank you in your advice.

--
Hiroyuki Sato



2011/2/17 Dan White <dwhite@olp.net>:
> On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
>>
>> Thank you Dan.
>>
>>
>> I simplified test environment. (see below)
>>
>> * Problem summary
>>  Does anybody succeed to setup SASL(digest-md5) authentication with
>>  mysql database and latest openldap-server??
>>
>>  I'm not sure, why this configuration does not work correctly.
>>  and It seems that LDAP server compare dn and input password in ldap
>>  authentication. (see log below)
>>
>> To: Dan
>>
>>>>  sasl-regexp
>>>>  uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
>>>>  uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
>>>
>>> This isn't matching what's showing up in your logs. slapd is internally
>>> canonicalizing the realm as 'cn=mydomain,dc=com' and not
>>> 'cn=mydomain.com'.
>>
>> Is this true??
>> I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
>
> In your original post, you specified this command:
>
> ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5  -U
> ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
> -LLL '(objectclass=*)'
>
> Did you specify '-R mydomain.com' in all the other examples?
>
> I'm getting a little confused with which realm value we're talking about.
>
> See the sasl_server_new(3) man page for a discussion of what sasl-host
> (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd
> config. I don't know what effect, if any, setting either value will have
> when using the digest-md5 mechanism.
>
> In fact, in might simply things to drop the sasl realm (-R) altogether and
> capture the domain in the authentication identity (-U
> ldapuser@mydomain.com), if your environment supports it.
>
>>  case1
>>
>>     # sasl-realm mydomain.com
>>     sasl-regexp
>>       uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
>>       uid=$1,ou=users,dc=mydomain,dc=com
>
> Another way to approach this (without using realms):
>
> sasl-regexp
>  uid=([^@]+)@([^\.]+)\.([^,]+),cn=.*,cn=auth
>  uid=$1,ou=users,dc=$2,dc=$3
>
> (and yes, I just broke my own rule about .*)
>
> --
> Dan White
>

Follow-Ups:
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>

References:
- [Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Dan White <dwhite@olp.net>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Aliasing entries with reserved characters
Next by Date: Re: ldap auth does not works after openldap upgrade
Index(es):
- Chronological
- Thread