From: "Ben Booble" <oneoutof100@hotmail.com>
To: OpenLDAP-software@OpenLDAP.org
Date: Fri, 30 Apr 2004 01:58:53 +0000
Hi List,
I have been going through the very good http://www.billy.demon.nl/ guide
for postfix sasl ldap howto but have run into a problem.
I am running openldap-2.1.25, cryus-sasl-2.1.17, redhat ES3. I have
compiled and install ldapdb.c according to the readme. In the guide
mentioned above to test the success of the installation you submit this
command..
ldapwhoami -Y digest-md5 -U proxyuser -X u:username -H ldap://servername
and the result should be dn:uid=username,ou=people,dc=... showing you can
authenticate as the username.
I gather it is something to do with either ACLs or if not that something
else. Can someone please look at below and give me a pointer?
My result is: ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized
slapd.log....
slap_parseURI: parsing dn.regex:uid=.*,ou=people,dc=cpc
dnNormalize: <dn.regex:uid=.*,ou=people,dc=cpc>
<===slap_sasl_match: comparison returned 21
<==slap_sasl_check_authz: saslAuthzTo check returning 48
<== slap_sasl_authorized: return 48
SASL Authorize [conn=6]: authorization disallowed (48)
SASL [conn=6] Failure: not authorized
slapd.conf ACL
access to dn=".*,ou=people,dc=cpc"
attrs=userPassword
by self write
by dn="cn=Manager,dc=cpc" write
by dn="uid=admin,ou=people,dc=cpc" read
by * auth
access to dn=".*,ou=Contacts,dc=cpc"
by * write
access to dn="dc=cpc"
by self write
by dn="cn=Manager,dc=cpc" write
by * read
by * auth
by anonymous search
by users read
access to *
by dn="uid=admin,ou=people,dc=cpc" write (added out of
frustration)
access to dn=""
by dn="cn=Manager,dc=cpc" write
by dn="uid=admin,ou=people,dc=cpc" read
by self write
by users read
by * none
password-hash {CLEARTEXT}
#sasl-host servername
sasl-authz-policy to
sasl-realm servername
sasl-secprops noplain noanonymous maxssf=128
sasl-regexp uid=(.*),cn=servername,cn=digest-md5,cn=auth
uid=$1,ou=people,dc=cpc
sasl-regexp uid=(.*),cn=digest-md5,cn=auth
"ldap:///ou=people,dc=cpc??sub?uid=$1"
ldapsearch -x -D "uid=admin,ou=people,dc=cpc" -W 'uid=admin' saslauthzto
# admin, people, cpc
dn: uid=admin,ou=people,dc=cpc
saslAuthzTo: dn.regex:uid=.*,ou=people,dc=cpc
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963