[Date Prev][Date Next] [Chronological] [Thread] [Top]

[RESOLVED] EXTERNAL mech missing

To: Dan White <dwhite@olp.net>
Subject: [RESOLVED] EXTERNAL mech missing
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Tue, 18 Dec 2012 10:41:15 +0000
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20121217184616.GF6645@dan.olp.net>
References: <20121213172622.GI22082@homeworld.netbsd.org> <20121213174656.GD6481@dan.olp.net> <20121217164049.GB18516@homeworld.netbsd.org> <20121217170811.GD6645@dan.olp.net> <20121217172843.GC18516@homeworld.netbsd.org> <20121217184616.GF6645@dan.olp.net>
User-agent: Mutt/1.5.21 (2010-09-15)

On Mon, Dec 17, 2012 at 12:46:17PM -0600, Dan White wrote:
> Verify that your password, stored within userPassword, is in plain text
> (when uudecoded). I do not recommend attempting to use 'pwcheck_method:
> auprop-hashed' with the slapd auxprop.

I confirm it was the problem: using saslauthd it works fine.

Here is my setup for reference. It does not use EXTERNAL on ldapi:/// 
after all

/usr/pkg/etc/openldap/slapd.conf:
    authz-policy any
    authz-regexp uid=([^,]*),cn=(plain|login|otp|external),cn=auth
             ldap:///dc=example,dc=net??sub?(uid=$1)

/usr/pkg/lib/sasl2/slapd.conf                                        
    pwcheck_method: saslauthd
    saslauthd_path: /var/run/saslauthd/mux
    mech_list: PLAIN LOGIN

/usr/pkg/etc/saslauthd.conf
    ldap_servers: ldaps://ldap.example.net
    ldap_search_base: dc=example,dc=net
    ldap_use_sasl: no


saslauthd is built with LDAP support and is started as:
    saslauthd -a ldap

Testing without slapd:
    testsaslauthd -u someone -p password -s slapd 

Now using authzid. In DIT:
    dn: uid=someone,dc=example,dc=net
    authzFrom: {0}dn:uid=manu,dc=example,dc=net

Everything is fine:
    $ ldapwhoami -Y PLAIN -X u:someone -U manu
    SASL/PLAIN authentication started
    Please enter your password: [manu's password]
    SASL username: u:someone
    SASL SSF: 0
    dn:uid=someone,dc=example,dc=net




-- 
Emmanuel Dreyfus
manu@netbsd.org

References:
- EXTERNAL mech missing
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: EXTERNAL mech missing
  - From: Dan White <dwhite@olp.net>
- Re: EXTERNAL mech missing
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: EXTERNAL mech missing
  - From: Dan White <dwhite@olp.net>
- Re: EXTERNAL mech missing
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: EXTERNAL mech missing
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Bulk update
Next by Date: Doe's olcAuthzRegexp rules applied on the all incoming authentication requests?
Index(es):
- Chronological
- Thread