[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Storing SASL secrets in the directory



> -----Original Message-----
> From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk]

> That fixed it, thanks. It helps to know that digest-md5 does not use a
> realm!

DIGEST-MD5 does use realms, it just omits the realm when the user is in
the default realm. If you specified a username "fred@some.other.realm" then
the "cn=some.other.realm" component would appear in the SASL DN.

> ldappasswd works correctly when I bind with the non-SASL mechanism:
> 
> 	ldappasswd -S -x -W -C -D "cn=Andrew 
> Pathan+uid=u000997,dc=example,dc=org"
> 
> However, when I use SASL I run into problems:
> 
> 	ldappasswd -S -C -U u000997
> 	New password: 
> 	Re-enter new password: 
> 	SASL/DIGEST-MD5 authentication started
> 	Please enter your password: 
> 	SASL username: u000997
> 	SASL SSF: 128
> 	SASL installing layers
> 	Result: Unknown error (80)
> 	Additional info: SASL(-7): invalid parameter supplied: 
> Parameter error in server.c near line 149

This is a bug, sasl_setpass was called with parameters in the wrong order.

There's also some missing functionality in Cyrus; the sasl_setpass function
is pretty much a no-op because the auxprop mechanism has no defined methods
for writing the auxprop database. With the param err fixed, the ldappasswd
operation will return Success but nothing has actually been changed. There's
more work to be done here.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support