[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/PLAIN Passthrough auth

To: Robin Helgelin <lobbin@gmail.com>, openldap-technical@openldap.org
Subject: Re: SASL/PLAIN Passthrough auth
From: Howard Chu <hyc@symas.com>
Date: Fri, 08 Mar 2013 12:53:35 -0800
In-reply-to: <CAPgWWQObSPYmEHfYkO-7maoUn7UnBgDT28rsbnpeBTi7P5sxmw@mail.gmail.com>
References: <CAPgWWQObSPYmEHfYkO-7maoUn7UnBgDT28rsbnpeBTi7P5sxmw@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19a1

Robin Helgelin wrote:

Hi,

I have a SASL pass-through authentication working when using a simple
bind only on users that has a userPassword starting with {SASL}. When
the users password contains {SASL}extraAuthInformation, the
extraAuthInformation is passed on as username to the saslauthd and
everything works as it should.

However, when using SASL/PLAIN all requests goes to the saslauthd,
without passing the extra information found in userPassword. Another
issue is that the username sent to saslauthd is the username entered
by the user, not the dn found when rewriting the username with
authz-regexp.

Is this by design or did I miss anything? Documentation states that
pass-through should be working with SASL/PLAIN, but perhaps I
misunderstood what it really meant?

That's by design. The authz-regexp mapping is only used when the targetcredentials are stored in slapd. Since you're using SASL/PLAIN to actuallytalk to saslauthd, nothing inside slapd is relevant.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- SASL/PLAIN Passthrough auth
  - From: Robin Helgelin <lobbin@gmail.com>

Prev by Date: Re: SASL/PLAIN Passthrough auth
Next by Date: getent passwd inconsistent loginShell with ldapsearch
Index(es):
- Chronological
- Thread