[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearch and sasl
James Wilde wrote:
I thought my sasl lines in slapd.conf were intended to translate the dn
to sasl format and the sasl user Manager@glocalnet.net exists in the
sasldb2 database, together with the same password. But it is of course
the other way round, that sasl converts user names to the dn and looks
for their password in the ldap directory.
SASL only knows about usernames. OpenLDAP / slapd converts user names
into DNs and looks them up. It will also use regular usernames in
sasldb2 if they exist, but that's not the preferred method.
I have been - and probably still am - a bit confused as to the role of
sasl in all this. I have been assuming that the sole role of sasl is to
encrypt the communication between client and server. I'm not at all
clear as to how many of my users I have to have in the sasl database,
but at the moment I only have Manager@glocalnet.net, that is the
equivalent of the rootdn in ldap.
The primary purpose of SASL is to perform authentication. Encryption is
an optional feature, and is only supported by a subset of SASL mechanisms.
I don't know why the creators of openldap moved to sasl instead of
staying with tls/ssl. Maybe someone can explain this.
There was no "moved to instead of" to speak of. TLS/SSL are supported
for encryption. SASL is supported for strong authentication. They are
fairly complementary and both may be used concurrently.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support