Re: OpenLDAP session authentication

[Erik Lotspeich <erik@lotspeich.org>]

Hi Dan,

OK, I got things working.  Thank you for your patience!

>> What DN would I use for simple authentication?  Maybe Thunderbird cannot
>> perform a SASL BIND?

It seems Thunderbird only performs a simple bind.

> For simple authentication, you'd need to specify the DN of an entry within
> your LDAP tree.

This statement helped me put it all together.

Another missing piece for me was the userPassword attribute.  I didn't
realize that it was to be part of an entry (for some reason, I thought
it was a slapd.conf parameter).  I added this entry for the users who I
want to allow to authenticate.

It is acceptable to me to bind against the full dn of users entry, so I
bind against this:

cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org

The userPassword attribute is set to:

userPassword: {SASL}erik

So now, simple binds work now:

erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -D 'cn=Erik
Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org' -W
Enter LDAP Password:
dn:cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org

For SASL binds, it also works:

erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -U erik -W
Enter LDAP Password:
SASL/PLAIN authentication started
SASL username: erik
SASL SSF: 0
dn:uid=erik,cn=plain,cn=auth

Looking through the Admin guide, I decided on a set of rules that seem
to accomplish what I want:

access to attrs=userPassword
        by self =xw
        by anonymous auth
        by * none

access to *
        by self write
        by users write
        by * none

Again, thanks for your help.  I learned a lot -- I believe I know enough
now to make better sense of the Admin guide.

Regards,

Erik