[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL and mail attribute help



Michael and Hallvard-
Thank you for your responses! The reinforcement regarding the context of uid
was essential.

However, I'm still having troubles...

My slapd.conf contains:

	password-hash   {CLEARTEXT}
	sasl-regexp
      	  uid=(.*),cn=powell,cn=DIGEST-MD5,cn=auth
      	  ldap:///ou=people,dc=example,dc=com??sub?(mail=$1)

My realm should be my fully-qualified domain name, correct?

	[pacifico@powell data]$ hostname --fqdn
	powell

A simple bind finds an entry without problem:

	[pacifico@powell data]$ ldapsearch -x -D 'cn=Al
Pacifico,ou=people,dc=example,dc=com' -W 'mail=pacifico@example.com' 	'cn'
	Enter LDAP Password:
	# extended LDIF
	#
	# LDAPv3
	# base <> with scope sub
	# filter: mail=pacifico@example.com
	# requesting: cn
	#
	
	# Al Pacifico, People, example.com
	dn: cn=Al Pacifico,ou=People,dc=example,dc=com
	cn: Al Pacifico
	
	# search result
	search: 2
	result: 0 Success
	
	# numResponses: 2
	# numEntries: 1

Now, authenticating with email address:
	[pacifico@powell data]$ ldapsearch -U 'pacifico@example.com' -Y
DIGEST-MD5 -W 'mail=pacifico@example.com' 'cn'
	Enter LDAP Password:
	SASL/DIGEST-MD5 authentication started
	ldap_sasl_interactive_bind_s: Internal (implementation specific)
error 	(80)
	        additional com: SASL(-13): user not found: no secret in
database

Additional information:
	1. Substituting -D for -U seems to halt earlier in the process.
	2. Adding the -D option and argument from the simple bind example
produces the same result.
	3. Adding the -v flag provides no additional useful information.
	4. I've confirmed saslauthd is running on my machine and the error
message implies it is running as well.

I suspect I've omitted something SASL-related from my slapd.conf or made
some simple error in the sasl-regexp. Suggestions?

Thanks.
-al

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Michael Ströder
Sent: Wednesday, June 01, 2005 10:15 AM
To: Al Pacifico
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: SASL and mail attribute help

Michael Ströder wrote:
> Al Pacifico wrote:
> 
>>The examples at OpenLDAP show use of the uid attribute, which is not
present
>>for all entries in my directory. I'm not sure how to map to the correct
>>authentication request DN.
> 
> 
> Simply fill the attribute uid of all entries by assigning each user who
> has to bind to OpenLDAP a unique user name.
> Or use another unique attribute like 'employeeNumber'.

Sorry, got you wrong.

What you're probably after is (example not tested!):

sasl-regexp
"uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5|ntlm|plain|login|gssapi),cn=auth
"
  "ldap:///dc=stroeder,dc=com??sub?(mail=$1)"

Note 'mail=$' in the LDAP URL.

Ciao, Michael