[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
I have read slapd.conf(5) on authz-policy, and I'm confusing now.
And I find that I give you the incorrect slapd.conf, now the correct one is below:
nclude /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) #binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb
suffix "ou=people,dc=example,dc=com"
rootdn "cn=admin,ou=people,dc=example,dc=com"
there is no proxy.
-----Original Message-----
From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Friday, August 06, 2010 3:55 PM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li@alcatel-lucent.com> writes:
> Hi,
> I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
> bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com")
> slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
> send_ldap_result: conn=2 op=2 p=3
> SASL Authorize [conn=2]: proxy authorization allowed authzDN=""
> send_ldap_sasl: err=0 len=40
> do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128
> send_ldap_response: msgid=3 tag=97 err=0
[...]
>>include /usr/local/openldap/schema/core.schema
>>include /usr/local/openldap/schema/cosine.schema
>>include /usr/local/openldap/schema/inetorgperson.schema
>>include /usr/local/openldap/schema/openldap.schema
>>include /usr/local/openldap/schema/nis.schema
>>pidfile /usr/local/openldap/slapd.1.pid
>>argsfile /usr/local/openldap/slapd.1.args
>>password-hash {CLEARTEXT}
>>authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy
authorization, but you have not defined such in slapd.conf.
Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo
attribute types.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6