[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing SASL secrets in the directory



On Fri, Jul 12, 2002 at 03:16:24AM -0700, Howard Chu wrote:
> 
> Using this rule
> sasl-regexp "uid=(.*),cn=digest-md5,cn=auth" "ldap:///o=foo,c=us??sub?cn=$1";

That fixed it, thanks. It helps to know that digest-md5 does not use a
realm!

I now have in-directory secrets working and have started looking at
password changing mechanisms. I am forcing the password change exop to
store cleartext passwords with the config option:

password-hash   {CLEARTEXT}

ldappasswd works correctly when I bind with the non-SASL mechanism:

	ldappasswd -S -x -W -C -D "cn=Andrew Pathan+uid=u000997,dc=example,dc=org"

However, when I use SASL I run into problems:

	ldappasswd -S -C -U u000997
	New password: 
	Re-enter new password: 
	SASL/DIGEST-MD5 authentication started
	Please enter your password: 
	SASL username: u000997
	SASL SSF: 128
	SASL installing layers
	Result: Unknown error (80)
	Additional info: SASL(-7): invalid parameter supplied: Parameter error in server.c near line 149

If I specify the DN of the entry I want to change then the error is
different:

	$ ldappasswd -S -C -U u000997 "cn=Andrew
	Pathan+uid=u000997,dc=example,dc=org"
	New password: 
	Re-enter new password: 
	SASL/DIGEST-MD5 authentication started
	Please enter your password: 
	SASL username: u000997
	SASL SSF: 128
	SASL installing layers
	Result: DSA is unwilling to perform (53)
	Additional info: user must change own password

This suggests to me that the server is not applying saslRegexp when
handling the exop.

Would you expect this to work? If this is bug I will submit logs etc
to help diagnose it. I am also working on some notes on using
DIGEST-MD5 which I will submit for the SASL section of the admin
guide.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
-----------------------------------------------------------------------