[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: simple-auth to SASL mapping?



Stefan Palme wrote:

> I have setup an OpenLDAP server for users authenticating
> using SASL. The authz-regexp "converts" the SASL identity
> into a DN which is used only for authorization purposes 
> - there are no real LDAP entries with these DNs. This setup
> works fine.
> 
> Now I have some LDAP client applications that only support
> simple authentication, but no SASL authentication. So I am
> looking for a way to "map" simple authentication to SASL
> authentication, e.g. when a user uses simple auth with
> DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should
> authenticate this user via SASL using username "user1"
> and the provided password.
> 
> I absolutely DO NOT WANT to create real LDAP entries for
> these users, because the user database is an external one
> accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I 
> dont want to manage user accounts in two places :-)
> 
> Is this possible?
> 
> I already thought about using an "ldap"-backend to proxy
> simple-auth-connections, but I did not found a way to just
> "rewrite" the authentication information and make the proxy
> server using SASL with a username extracted from the simple
> auth DN...

The only way I see, apart from writing a custom layer (an overlay) to
slapd, consists in populating the database with the users' entries, and
set their userPassword to "{SASL}<saslname>" and configure slapd's SASL
to auth them accordingly.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------