Re: OpenLDAP and SASL

["Dieter Kluenter" <dieter@dkluenter.de>]

Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:

> Dieter Kluenter wrote:
>
>     Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
[...]
>     There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w
>     secret -H ldap://myhost -b dc=example,dc=com ...
>     All you have to do is to set the userPassword value as plaintext,
>     otherwise the challenge cannot be created. If you want to parse the
>     sasl authentication string to a DN, than you have to define a
>     authz-regexp in in slapd.conf(5) and the user has to have a uid
>     attribute.
[...]
> I still can not authenticate by using password from userPassword attribute .I
> also attach 2 configuration files with this email. Are there any missing
> configuration?

Could you provide some logs?

[...]
> # slapd.conf - Configuration file for LDAP SLAPD
> ##########
> authz-regexp 
> 	uid=([^,]+).*,cn=auth
> 	uid=$1,ou=Users,dc=example,dc=com
> authz-regexp
> 	email=([^,]+),cn=([^,]+).*,c=TH$
> 	uid=$2,ou=Users,dc=example,dc=com
> sasl-realm example.com
> sasl-secprops none

Is there any particular reason to define the second authz-regexp rule?

> access to attrs=userPassword
> 	by self write
> 	by anonymous auth
> 	by * none
> access to dn.subtree="ou=System,dc=example,dc=com"
> 	by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
> 	by users read

> access to *
> 	by self write
> 	by users read
> 	by * none
[...]

run slapd -d acl and post the relevant parts.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E