[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL EXTERNAL, sasldb2 and authz-regexp
Dieter Kluenter schrieb:
> Götz Reinicke - IT-Koordinator <goetz.reinicke@filmakademie.de> writes:
>
>> Hi folks,
> [...]
>> My consumer server should bind to the provider using sasl with the
>> saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
>>
>> I'v changed the slapd.conf files on both servers:
>>
>> consumer:
>>
>> syncrepl ...
>> bindmethod=sasl
>> saslmech=EXTERNAL
>> starttls=yes
>>
>> provider:
>>
>> authz-regexp
>> "dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
>> officenet,o=filmakademie baden-wuerttemberg
>> gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de"
>> "cn=replicator,dc=filmakademie,dc=de"
>>
>> after restarting both servers I do get the error:
>>
>> <==slap_sasl2dn: Converted SASL name to <nothing>
>> SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such
>> file or directory
>
> [...]
>
> I don't see a configuration for client certs, as an example I provide
> my slapd.conf
>
> syncrepl rid=042
> provider=ldap://rubin.avci.de
> sizelimit=unlimited
> bindmethod=sasl
> saslmech=external
> starttls=yes
> tls_cert=/etc/openldap/certs/replicator.pem
> tls_key=/etc/openldap/certs/replicator-key.pem
> tls_cacert=/etc/openldap/certs/avciCA.pem
> tls_reqcert=demand
> searchbase="o=avci,c=de"
> scope=sub
> [...]
Hi Dieter,
it looks like I still have some misunderstanding of where to set some
options after following my manual.... Maybe your book is better ;-)
I added the tls_* options to my consumer slapd.conf and started both
servers again. Now I still get messages on the provider which confuse
me, in particular the line "Converted SASL name to <nothing>"
do_sasl_bind: dn (cn=replicator,dc=filmakademie,dc=de) mech EXTERNAL
==>slap_sasl2dn: converting SASL name
email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de to a DN
slap_authz_regexp: converting SASL name
email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Authorize [conn=0]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/EXTERNAL bind:
dn="email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" sasl_ssf=0
Any suggestions? Thanks for your response,
/Götz
--
Götz Reinicke
IT-Koordinator
Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.reinicke@filmakademie.de
Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Geschäftsführer:
Prof. Thomas Schadt