[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL and mail attribute help
Michael and Hallvard-
Thank you for your responses! The reinforcement regarding the context of uid
was essential.
However, I'm still having troubles...
My slapd.conf contains:
password-hash {CLEARTEXT}
sasl-regexp
uid=(.*),cn=powell,cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??sub?(mail=$1)
My realm should be my fully-qualified domain name, correct?
[pacifico@powell data]$ hostname --fqdn
powell
A simple bind finds an entry without problem:
[pacifico@powell data]$ ldapsearch -x -D 'cn=Al
Pacifico,ou=people,dc=example,dc=com' -W 'mail=pacifico@example.com' 'cn'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: mail=pacifico@example.com
# requesting: cn
#
# Al Pacifico, People, example.com
dn: cn=Al Pacifico,ou=People,dc=example,dc=com
cn: Al Pacifico
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Now, authenticating with email address:
[pacifico@powell data]$ ldapsearch -U 'pacifico@example.com' -Y
DIGEST-MD5 -W 'mail=pacifico@example.com' 'cn'
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific)
error (80)
additional com: SASL(-13): user not found: no secret in
database
Additional information:
1. Substituting -D for -U seems to halt earlier in the process.
2. Adding the -D option and argument from the simple bind example
produces the same result.
3. Adding the -v flag provides no additional useful information.
4. I've confirmed saslauthd is running on my machine and the error
message implies it is running as well.
I suspect I've omitted something SASL-related from my slapd.conf or made
some simple error in the sasl-regexp. Suggestions?
Thanks.
-al
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Michael Ströder
Sent: Wednesday, June 01, 2005 10:15 AM
To: Al Pacifico
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: SASL and mail attribute help
Michael Ströder wrote:
> Al Pacifico wrote:
>
>>The examples at OpenLDAP show use of the uid attribute, which is not
present
>>for all entries in my directory. I'm not sure how to map to the correct
>>authentication request DN.
>
>
> Simply fill the attribute uid of all entries by assigning each user who
> has to bind to OpenLDAP a unique user name.
> Or use another unique attribute like 'employeeNumber'.
Sorry, got you wrong.
What you're probably after is (example not tested!):
sasl-regexp
"uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5|ntlm|plain|login|gssapi),cn=auth
"
"ldap:///dc=stroeder,dc=com??sub?(mail=$1)"
Note 'mail=$' in the LDAP URL.
Ciao, Michael