[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication

To: Vincent FONTENEAU <fonteneau@dynetcom.fr>
Subject: Re: SASL authentication
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 31 Jan 2003 20:38:16 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3E3A9E63.4090506@dynetcom.fr>
Organization:
References: <3E3A9E63.4090506@dynetcom.fr>

fre, 2003-01-31 kl. 17:03 skrev Vincent FONTENEAU:

> I'm triing to configure an openldap database with SASL Digest-md5 
> authentication. I've success in making openldap database with no SASL 
> authentication.
> I'm little newbie in openldap and I'am triing to configure SASL for 1 
> week now.


This is all Openldap 2.1.10, Cyrus SASL 2.1.10, Berkeley BDB 4.1.24:

> Is somebody know where I could find a good doc to configure openldap 
> with SASL,

Cyrus SASL (2.1.10) docs, just follow them - if you've compiled and
installed it correctly and then compiled Openldap against it:

>  i mean configure slapd.conf,

See below

> ldif file

Same as for normal Openldap. All passwords for Openldap DIGEST-MD5 users
must be in cleartext in the DIT (userPassword).

>  sasldb

Isn't necessary for Openldap.

>  how to declare saslpasswd

No special saslpasswd

> do I need saslatuhd

You mean saslauthd. No, you don't

> and sasl.conf file ?

Not for Openldap, but running the Cyrus test program is fun, when you
get it to work. This is all in the Cyrus SASL documentation.

>  I really don't know 
> how to do.

Archives, for this mailing list, especially July 12/13 2002 with Howard
Chu's explanation and the esuing enlightenment for all.

> Even if i want to use slurpd with SASL how to do ?

No idea, haven't got that far and don't use SASL at the moment, anyway
(I use SSL/TLS and cleartext passwords, 'cos that's what my apps use).

I have this normal suffix in slapd.conf (it's not specially for
DIGEST-MD5):

dc=myorg,dc=nl

and for SASL DIGEST-MD5 in slapd.conf:

sasl-regexp "uid=(.*),cn=digest-md5,cn=auth"
"ldap:///dc=myorg,dc=nl??sub?cn=$1";

Looking for cn=Tom Smith, authenticating as tonye:

ldapsearch -Y DIGEST-MD5 -b -U tonye 'cn=tom smith'

The above obviously have to exist, but they're not special for SASL.

-U is the SASL authcid (*man ldapsearch*). You have the same rights as
your normal ACLs give you.

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- SASL authentication
  - From: Vincent FONTENEAU <fonteneau@dynetcom.fr>

Prev by Date: Re: slapd-meta Example Config ?
Next by Date: Re: rlookup problem using domain= aci
Index(es):
- Chronological
- Thread