[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

Hi Dan.

Thank you for your information.

First of all, It is not important to use realm
if ldap server could identify ldap_user@copnay_a.com and ldap_user@company_b.net

And your idea looks good. I'll check later.

and I'll report later.

1, My goal is to build ldap server like the following.

  * Store multiple companies information in one ldap server.
  * Secure authentication (SASL/Kerberos, or SASL/Digest-MD5)
  * High availability SASL database.
    sasldb is just file,
    I would like to share user info with multiple machines.

2, My Plan


      # user DIT in company a

      # user DIT in company B

  * Secure Auth

    Plan1) SASL(Digest-MD5 Authentication)
      user info : Store MySQL database

      identify company_a user and company_b user with realm.

    Plan2) SASL(GSSAPI Authentication)
    not test yet.

Thank you in your advice.

Hiroyuki Sato

2011/2/17 Dan White <dwhite@olp.net>:
> On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
>> Thank you Dan.
>> I simplified test environment. (see below)
>> * Problem summary
>>  Does anybody succeed to setup SASL(digest-md5) authentication with
>>  mysql database and latest openldap-server??
>>  I'm not sure, why this configuration does not work correctly.
>>  and It seems that LDAP server compare dn and input password in ldap
>>  authentication. (see log below)
>> To: Dan
>>>>  sasl-regexp
>>>>  uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
>>>>  uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
>>> This isn't matching what's showing up in your logs. slapd is internally
>>> canonicalizing the realm as 'cn=mydomain,dc=com' and not
>>> 'cn=mydomain.com'.
>> Is this true??
>> I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
> In your original post, you specified this command:
> ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5  -U
> ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
> -LLL '(objectclass=*)'
> Did you specify '-R mydomain.com' in all the other examples?
> I'm getting a little confused with which realm value we're talking about.
> See the sasl_server_new(3) man page for a discussion of what sasl-host
> (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd
> config. I don't know what effect, if any, setting either value will have
> when using the digest-md5 mechanism.
> In fact, in might simply things to drop the sasl realm (-R) altogether and
> capture the domain in the authentication identity (-U
> ldapuser@mydomain.com), if your environment supports it.
>>  case1
>>     # sasl-realm mydomain.com
>>     sasl-regexp
>>       uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
>>       uid=$1,ou=users,dc=mydomain,dc=com
> Another way to approach this (without using realms):
> sasl-regexp
>  uid=([^@]+)@([^\.]+)\.([^,]+),cn=.*,cn=auth
>  uid=$1,ou=users,dc=$2,dc=$3
> (and yes, I just broke my own rule about .*)
> --
> Dan White