[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
Thank you Dan.
I simplified test environment. (see below)
* Problem summary
Does anybody succeed to setup SASL(digest-md5) authentication with
mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly.
and It seems that LDAP server compare dn and input password in ldap
authentication. (see log below)
To: Dan
sasl-regexp
uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally
canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true??
I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
In your original post, you specified this command:
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U
ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
-LLL '(objectclass=*)'
Did you specify '-R mydomain.com' in all the other examples?
I'm getting a little confused with which realm value we're talking about.
See the sasl_server_new(3) man page for a discussion of what sasl-host
(serverFQDN) and sasl-realm (user_realm) will do if set in your slapd
config. I don't know what effect, if any, setting either value will have
when using the digest-md5 mechanism.
In fact, in might simply things to drop the sasl realm (-R) altogether and
capture the domain in the authentication identity (-U
ldapuser@mydomain.com), if your environment supports it.
case1
# sasl-realm mydomain.com
sasl-regexp
uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
uid=$1,ou=users,dc=mydomain,dc=com
Another way to approach this (without using realms):
sasl-regexp
uid=([^@]+)@([^\.]+)\.([^,]+),cn=.*,cn=auth
uid=$1,ou=users,dc=$2,dc=$3
(and yes, I just broke my own rule about .*)
--
Dan White