[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: R: How the password stored in SASL db can be related to the userPassword attribute of an entry of the directory?



Giampaolo Rossi wrote:
Hi Howard,

I followed your suggestion but that's what I got after running ldapsearch

1.
[root@LDAPMaster etc]# ldapsearch -Y digest-md5 -b "o=Organization" -D
"uid=CO,ou=Operator,o=Organization"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: client response
doesn't match what we generated
You probably should not use -D <DN> with SASL binds and if you give a SASL name you have to make sure it is converted properly to a DN you have in your DIT. It is all in the Administration Guide.

In 1. and 2. I inserted CO_PWD as password-string according to my ldif file
which ontains the following entry :
dn: uid=CO, ou=Operator, o=Organization
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Organization Commander
sn: CO
uid: CO
userPassword: CO_PWD
not sure but don't you need {CLEARTEXT}CO_PWD?

displayName: commander
description: Organization commander

So, what's wrong ?

How can I use the secret stored in LDAP directory intead of using secret
stored in sasl db?
SASL uses backend for storing secrets, sasldb is the most common. You have to compile ldapdb from the openldap /contrib directory with your SASL package and setup proxy authentication. Read the Admin Guide and Tony Earnshaw's writeup at http://www.billy.demon.nl/Postfix-SASL-authentication.html it helped me a lot. One note to the above:
dn.<style> like saslAuthzTo: dn.regex:uid=.*,ou=yoursuffix,.... didn't worked for me I used just a regular regex:
saslAuthzTo: uid=.*,ou=yoursuffix,....



greetings Paul