Re: whose responsability

[Dan White <dwhite@olp.net>]

> On Sun, Jul 10, 2011 at 5:41 PM, Dan White <dwhite@olp.net> wrote:
> > > ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b
> > > uid=user,ou=people,dc=my,dc=domain
> > >
> > > And everyting works ok.
> > > My doubt is:
> > >
> > >       who is performing the password checking? The openldap server
> > > daemon (slapd) ou the ldapsearch ?
> >
> > When userPassword is configured with '{SASL}user@domain', you are using
> > SASL pass-through authentication. See section 14.5 (Pass-Through
> > authentication) of the OpenLDAP Administrator's Guide for documentation.
> >
> > In such a scenario, authentication is ultimately handled by the libsasl2
> > glue layer, and is controlled by the configuration of your sasl slapd.conf
> > file, which is typically found in /usr/lib/sasl2/slapd.conf.
> >
> > Presumably you've configured pass-through authentication because of a need
> > to authenticate against a saslauthd daemon (pwcheck_method: saslauthd).

On 10/07/11 17:56 -0300, Friedrich Locke wrote:
> Thanks for your response!
>
> But who is doing the comunication with saslauthd, the slap daemon
> process or the ldapsearch process ?
>
> Thanks once more!

slapd will be communicating with saslauthd (or your configured
pwcheck_method) via libsasl2. 

With your ldapsearch command, the dn and password will be transmitted in
clear text over the wire to your openldap/slapd server, for authentication,
unless you've configured ldaps or starttls encryption for protection.

--
Dan White