[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: whose responsability



On 10/07/11 17:08 -0300, Friedrich Locke wrote:
Hi,

i have installed and configured openldap and so far, so good. But i
have a simple doubt.

Up to now, all users i have added to the ldap server have a field:

userPassword: {SASL}user@domain

I am connecting to retrieve the entry attributes with the following command:

ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b
uid=user,ou=people,dc=my,dc=domain

And everyting works ok.
My doubt is:

       who is performing the password checking? The openldap server
daemon (slapd) ou the ldapsearch ?

When userPassword is configured with '{SASL}user@domain', you are using
SASL pass-through authentication. See section 14.5 (Pass-Through
authentication) of the OpenLDAP Administrator's Guide for documentation.

In such a scenario, authentication is ultimately handled by the libsasl2
glue layer, and is controlled by the configuration of your sasl slapd.conf
file, which is typically found in /usr/lib/sasl2/slapd.conf.

Presumably you've configured pass-through authentication because of a need
to authenticate against a saslauthd daemon (pwcheck_method: saslauthd).

--
Dan White