[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's for SASL compat.



>>>>> "Kurt" == Kurt D Zeilenga <Kurt@OpenLDAP.org> writes:

    Kurt> At 02:58 PM 10/4/00 -0400, Marc Heckmann wrote:
    >> I have a trace of what happens below, it seems that the
    >> authorization DN is only "testuser" and not
    >> "uid=testuser+realm=schoenberg"

    Kurt> Just "testuser"?  Sounds like you might be suffering from a
    Kurt> nasty (and dangerous) Cyrus SASL bug.  Make sure you have
    Kurt> Cyrus SASL 1.5.24 installed as currently available from
    Kurt> ftp://ftp.andrew.cmu.edu/pub/cyrus-mail.  Do not install
    Kurt> versions from any other source as there appears to be
    Kurt> multiple versions labeled 1.5.24 floating about (due to a
    Kurt> silent upgrade) and only the version in the official FTP
    Kurt> site is known not to contain the bug.

I'm having this problem to, and I'm running the Debian GNU/Linux 
package (with minor changes such as --with-gssapi etc) with version
1.5.24-5.

    Kurt> Then, when testing with OpenLDAP, be sure to specify TRACE.
    Kurt> ARGS is useful as well.  This will report not only the
    Kurt> authentication and authorization identities, but the
    Kurt> authorization (or subject) DN.

? 

Is this a parameter to ldap{search|modify|add}, or is it a compile option?

    Kurt> Other notes: -D is for simple bind... irrelevant for SASL
    Kurt> bind.  -W is for simple bind, SASL bind will prompt as
    Kurt> needed (but will use value provided via -W or -w as well).
    Kurt> And don't use -X (authorization identity) with OpenLDAP
    Kurt> slapd... as slapd only supports authorization identities
    Kurt> which are equivalent to the authentication identity (empty
    Kurt> or u:user for user).

Running slapd with:
----- s n i p -----
/usr/sbin/slapd -h "ldap://0.0.0.0:3389/ ldaps://0.0.0.0/" -d -1 > /tmp/out 2>&1
----- s n i p -----

And the search with
----- s n i p -----
ldapsearch -I -b 'dc=com' -H ldaps:/// -LLL '(&(uid=*)(objectclass=posixAccount))' userPassword
----- s n i p -----

will give me this in the /tmp/out file:
----- s n i p -----
CHROOT:/# grep 'slap_sasl_bind: authzdn' /tmp/out 
<== slap_sasl_bind: authzdn: "uid=root"
----- s n i p -----

(I'm doing this in my chroot, so...)

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden