[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client

To: "Dieter Kluenter" <dieter@dkluenter.de>, <openldap-technical@openldap.org>
Subject: RE: PROBLEM: can't use SASL to authentication openldap client
From: "LI Ji D" <Ji.d.Li@alcatel-lucent.com>
Date: Thu, 5 Aug 2010 16:35:43 +0800
Content-class: urn:content-classes:message
In-reply-to: <87r5jx1xvh.fsf@magenta.l4b.de>
References: <516795048E5F5C4AB709C1012B9AEEB402651B67@mail-srv1.secumail.de><D9224B7C263C0446ADF2F9E9F434631904CD7710@CNSHGSMBS01.ad4.ad.alcatel.com><20100621170537.GB2425@dan.olp.net><D9224B7C263C0446ADF2F9E9F434631904D0F925@CNSHGSMBS01.ad4.ad.alcatel.com><87mxum3lt2.fsf@magenta.l4b.de><D9224B7C263C0446ADF2F9E9F434631904D36FDD@CNSHGSMBS01.ad4.ad.alcatel.com> <87r5jx1xvh.fsf@magenta.l4b.de>
Thread-index: AcsTIZgsw3PCzbIvTR6w1xyx7s1MuQhVYSEw
Thread-topic: PROBLEM: can't use SASL to authentication openldap client

Hi, Klünter
	Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
	1. My slapd.conf is below:
include         /usr/local/openldap/schema/core.schema
include         /usr/local/openldap/schema/cosine.schema
include         /usr/local/openldap/schema/inetorgperson.schema
include         /usr/local/openldap/schema/openldap.schema
include         /usr/local/openldap/schema/nis.schema
pidfile         /usr/local/openldap/slapd.1.pid
argsfile        /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self

database bdb
suffix   "ou=people,dc=example,dc=com"
rootdn   "cn=admin,ou=people,dc=example,dc=com"
	
	2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5

	3. I use saslpasswd2 to create use and password.

Can you help to check this?

-----Original Message-----
From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of Dieter Kluenter
Sent: Thursday, June 24, 2010 1:07 AM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

"LI Ji D" <Ji.d.Li@alcatel-lucent.com> writes:

> Hi,
> 	This is my comprehension:
> 1. The client is connecting to SLAPD requesting an SASL bind.
> 2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5.
> 3. The client sends the authentication information to SLAPD.
> 4. SLAPD performs the translation specified in authz-regexp.
> 5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2.
> 6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client. 
>
> So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?

Sorry, my bad. I forgot that you use sasldb as an external
authentication source. My remarks where based on an internal sasl
authentication. Try to raise the debug level in sasl/slapd.conf,
something like 'loglevel: 7'. If you use syslog, allow sasl to log to
auth. 

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Follow-Ups:
- Re: PROBLEM: can't use SASL to authentication openldap client
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: PROBLEM: can't use SASL to authentication openldap client
  - From: Dan White <dwhite@olp.net>
- Re: PROBLEM: can't use SASL to authentication openldap client
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: can't get slapd to do pass-through authentication
Next by Date: Re: cn=Config GUI was: Re: ldap on Ubuntu 10.0.4
Index(es):
- Chronological
- Thread