Re: SASL/PLAIN Passthrough auth

[Dan White <dwhite@olp.net>]

On 03/08/13 21:16 +0100, Robin Helgelin wrote:
> Hi,
>
> I have a SASL pass-through authentication working when using a simple
> bind only on users that has a userPassword starting with {SASL}. When
> the users password contains {SASL}extraAuthInformation, the
> extraAuthInformation is passed on as username to the saslauthd and
> everything works as it should.
>
> However, when using SASL/PLAIN all requests goes to the saslauthd,
> without passing the extra information found in userPassword. Another
> issue is that the username sent to saslauthd is the username entered
> by the user, not the dn found when rewriting the username with
> authz-regexp.
>
> Is this by design or did I miss anything? Documentation states that
> pass-through should be working with SASL/PLAIN, but perhaps I
> misunderstood what it really meant?

pass-through does not utilize SASL/PLAIN. slapd performs a call to
sasl_checkpass instead, as documented in 14.5 of the OpenLDAP
Administrator's Guide.

When performing SASL authentication (PLAIN) you are delegating
authentication to libsasl2. If using SASL PLAIN, the authentication
identity and password provided by the client is passed to libsasl as is.
It's up to saslauthd and its configured backend (in your scenario) to
authenticate the user, after which you can make use of authz-regexp
statements to map the authentication identity to a DN.

--
Dan White