[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP session authentication
Hi Dan,
OK, I got things working. Thank you for your patience!
>> What DN would I use for simple authentication? Maybe Thunderbird cannot
>> perform a SASL BIND?
It seems Thunderbird only performs a simple bind.
> For simple authentication, you'd need to specify the DN of an entry within
> your LDAP tree.
This statement helped me put it all together.
Another missing piece for me was the userPassword attribute. I didn't
realize that it was to be part of an entry (for some reason, I thought
it was a slapd.conf parameter). I added this entry for the users who I
want to allow to authenticate.
It is acceptable to me to bind against the full dn of users entry, so I
bind against this:
cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org
The userPassword attribute is set to:
userPassword: {SASL}erik
So now, simple binds work now:
erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -D 'cn=Erik
Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org' -W
Enter LDAP Password:
dn:cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org
For SASL binds, it also works:
erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -U erik -W
Enter LDAP Password:
SASL/PLAIN authentication started
SASL username: erik
SASL SSF: 0
dn:uid=erik,cn=plain,cn=auth
Looking through the Admin guide, I decided on a set of rules that seem
to accomplish what I want:
access to attrs=userPassword
by self =xw
by anonymous auth
by * none
access to *
by self write
by users write
by * none
Again, thanks for your help. I learned a lot -- I believe I know enough
now to make better sense of the Admin guide.
Regards,
Erik