[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's for SASL compat.



At 02:58 PM 10/4/00 -0400, Marc Heckmann wrote:
>        I have a trace of what happens below, it seems that the authorization
>DN is only "testuser" and not "uid=testuser+realm=schoenberg"

Just "testuser"?  Sounds like you might be suffering from a nasty
(and dangerous) Cyrus SASL bug.  Make sure you have Cyrus SASL 1.5.24
installed as currently available from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail.
Do not install versions from any other source as there appears to
be multiple versions labeled 1.5.24 floating about (due to a silent
upgrade) and only the version in the official FTP site is known not
to contain the bug.

Then, when testing with OpenLDAP, be sure to specify TRACE.  ARGS is
useful as well.  This will report not only the authentication and
authorization identities, but the authorization (or subject) DN.

Other notes: -D is for simple bind... irrelevant for SASL bind.
-W is for simple bind, SASL bind will prompt as needed (but will
use value provided via -W or -w as well).  And don't use -X
(authorization identity) with OpenLDAP slapd... as slapd only
supports authorization identities which are equivalent to the
authentication identity (empty or u:user for user).

Kurt