[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL, sasldb2 and authz-regexp



Am 14.04.2010 09:36, schrieb Götz Reinicke - IT-Koordinator:
Dieter Kluenter schrieb:
Götz Reinicke - IT-Koordinator<goetz.reinicke@filmakademie.de>  writes:

Hi folks,
[...]
My consumer server should bind to the provider using sasl with the
saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )

I'v changed the slapd.conf files on both servers:

consumer:

syncrepl       	...
                	bindmethod=sasl
		saslmech=EXTERNAL
                	starttls=yes

provider:

authz-regexp
	"dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de"
	"cn=replicator,dc=filmakademie,dc=de"
from first sight, looks like wrong authz-regexp:
dn=email= ....
after restarting both servers I do get the error:

<==slap_sasl2dn: Converted SASL name to<nothing>
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such
file or directory
[...]

I don't see a configuration for client certs, as an example I provide
my slapd.conf

syncrepl rid=042
         provider=ldap://rubin.avci.de
         sizelimit=unlimited
         bindmethod=sasl
         saslmech=external
         starttls=yes
         tls_cert=/etc/openldap/certs/replicator.pem
         tls_key=/etc/openldap/certs/replicator-key.pem
         tls_cacert=/etc/openldap/certs/avciCA.pem
         tls_reqcert=demand
         searchbase="o=avci,c=de"
         scope=sub
         [...]

Hi Dieter,

it looks like I still have some misunderstanding of where to set some
options after following my manual.... Maybe your book is better ;-)

I added the tls_* options to my consumer slapd.conf and started both
servers again. Now I still get messages on the provider which confuse
me, in  particular the line "Converted SASL name to<nothing>"

do_sasl_bind: dn (cn=replicator,dc=filmakademie,dc=de) mech EXTERNAL

==>slap_sasl2dn: converting SASL name
email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de to a DN

slap_authz_regexp: converting SASL name
email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de

<==slap_sasl2dn: Converted SASL name to<nothing>

SASL Authorize [conn=0]:  proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/EXTERNAL bind:
dn="email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" sasl_ssf=0


Any suggestions? Thanks for your response,

	/Götz