[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Mapping through SASL does not work
Torsten-
Please see the responses to my post about a month ago:
http://www.openldap.org/lists/openldap-software/200506/msg00023.html
and
http://www.openldap.org/lists/openldap-software/200506/msg00022.html
I did not understand that the context of uid is in sasl. Hallvard B Furuseth
wrote in his response:
"The "username" from SASL is a SASL identity, not an LDAP attribute.
OpenLDAP puts it UID in the bind DN, but you can use sasl-regexp to
change that." That was key information.
You configure slapd to map what the user enters for a name (his/her email
address in my case) to a DN.
My slapd.conf contains:
password-hash {CLEARTEXT}
sasl-regexp
uid=(.*),cn=powell,cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??sub?(mail=$1)
and it works very well.
(Ignore my follow-up posts to that thread; I was led astray by misconfigured
access control list.)
Hope this helps.
-al
Al Pacifico
Seattle, WA
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of
torsten_openldap-software@gcrud.org
Sent: Monday, June 20, 2005 8:13 AM
To: openldap-software@OpenLDAP.org
Subject: Mapping through SASL does not work
Hi all,
I am refering to
http://www.openldap.org/doc/admin23/sasl.html#SASL%20Authentication
It says:
[QUOTE]
11.2.4. Mapping Authentication Identities
The authentication mechanism in the slapd server will use SASL library
calls to obtain the authenticated user's "username", based on whatever
underlying authentication mechanism was used. This username is in the
namespace of the authentication mechanism, and not in the normal LDAP
namespace. As stated in the sections above, that username is reformatted
into an authentication request DN of the form
uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
or
uid=<username>,cn=<mechanism>,cn=auth
depending on whether or not <mechanism> employs the concept of "realms".
Note also that the realm part will be omitted if the default realm was
used in the authentication.
[/QUOTE]
Wouldn't this mean in other words that if I do not configure anything
special (basically using the example configuration file for slapd.conf
that comes with the distribution) and I would try to login as "foo" it
should go and search for an entry with the DN uid=foo,cn=XXX,cn=auth in
the database?
Instead I get an error message that binding is not even tried because
"foo" is not a syntactically correct DN.
What did I miss?
Regards,
Torsten