[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL's for SASL compat.
- To: openldap-software@OpenLDAP.org
- Subject: Re: ACL's for SASL compat.
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 09 Mar 2001 21:17:35 +0100
- Cc: Dima Barsky <dima@debian.org>
- In-reply-to: "Kurt D. Zeilenga"'s message of "Wed, 04 Oct 2000 15:53:40 -0700"
- Organization: LDAP/Kerberos expert wannabe
- References: <5.0.0.25.0.20001004085440.00a7be00@router.boolean.net> <5.0.0.25.0.20001003150536.00a41520@router.boolean.net> <20001003171559.B7227@hbesoftware.com> <5.0.0.25.0.20001003150536.00a41520@router.boolean.net> <20001003205221.A17171@hbesoftware.com> <5.0.0.25.0.20001004085440.00a7be00@router.boolean.net> <5.0.0.25.0.20001004103651.00a30eb0@router.boolean.net> <5.0.0.25.0.20001004143821.00a69960@router.boolean.net>
- User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7
>>>>> "Kurt" == Kurt D Zeilenga <Kurt@OpenLDAP.org> writes:
Kurt> At 02:58 PM 10/4/00 -0400, Marc Heckmann wrote:
>> I have a trace of what happens below, it seems that the
>> authorization DN is only "testuser" and not
>> "uid=testuser+realm=schoenberg"
Kurt> Just "testuser"? Sounds like you might be suffering from a
Kurt> nasty (and dangerous) Cyrus SASL bug. Make sure you have
Kurt> Cyrus SASL 1.5.24 installed as currently available from
Kurt> ftp://ftp.andrew.cmu.edu/pub/cyrus-mail. Do not install
Kurt> versions from any other source as there appears to be
Kurt> multiple versions labeled 1.5.24 floating about (due to a
Kurt> silent upgrade) and only the version in the official FTP
Kurt> site is known not to contain the bug.
I'm having this problem to, and I'm running the Debian GNU/Linux
package (with minor changes such as --with-gssapi etc) with version
1.5.24-5.
Kurt> Then, when testing with OpenLDAP, be sure to specify TRACE.
Kurt> ARGS is useful as well. This will report not only the
Kurt> authentication and authorization identities, but the
Kurt> authorization (or subject) DN.
?
Is this a parameter to ldap{search|modify|add}, or is it a compile option?
Kurt> Other notes: -D is for simple bind... irrelevant for SASL
Kurt> bind. -W is for simple bind, SASL bind will prompt as
Kurt> needed (but will use value provided via -W or -w as well).
Kurt> And don't use -X (authorization identity) with OpenLDAP
Kurt> slapd... as slapd only supports authorization identities
Kurt> which are equivalent to the authentication identity (empty
Kurt> or u:user for user).
Running slapd with:
----- s n i p -----
/usr/sbin/slapd -h "ldap://0.0.0.0:3389/ ldaps://0.0.0.0/" -d -1 > /tmp/out 2>&1
----- s n i p -----
And the search with
----- s n i p -----
ldapsearch -I -b 'dc=com' -H ldaps:/// -LLL '(&(uid=*)(objectclass=posixAccount))' userPassword
----- s n i p -----
will give me this in the /tmp/out file:
----- s n i p -----
CHROOT:/# grep 'slap_sasl_bind: authzdn' /tmp/out
<== slap_sasl_bind: authzdn: "uid=root"
----- s n i p -----
(I'm doing this in my chroot, so...)
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden