[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl-auxprop (and sasl/slapd.conf)

To: openldap-technical@openldap.org
Subject: Re: sasl-auxprop (and sasl/slapd.conf)
From: Dan White <dwhite@cafedemocracy.org>
Date: Tue, 17 Nov 2015 14:46:53 -0600
Content-disposition: inline
In-reply-to: <564B6602.1020807@truelite.it>
References: <564B6602.1020807@truelite.it>
User-agent: Mutt/1.5.23 (2014-03-12)

On 11/17/15 18:38 +0100, Simone Piccardi wrote:

I'm trying to understand which values I can use for the sasl-auxprop
directives and how to configure (if possible) sasl/slapd.conf.


That's a lot more painful to determine than it should be. Do:

# cat > <path>/sasl/pluginviewer.conf << EOF

ldapdb_uri: ldapi:///
sql_select: select foo from bar
EOF


# pluginviewer -a
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 8
     supports store: yes

On Debian based systems, use saslpluginviewer.

To this list, add 'slapd', which is the internal auxprop plugin, and
subtract ldapdb, which should not be used within the slapd server.

I was trying to use the users created with slappasswd2 -c (as written in
the Administration guide) but no sasldb file was open by the server (I
straced out a full session). I tried to put an explicit configuration in
sasl/slapd.conf, and stracing the server I saw it was open and read, but
the configuration inside is just ignored.


The auxprop_plugin configuration parameter is ignored. Most/all other
config statements will be honored.

Reading the manpage I found it says that sasl-auxprops "Specify which
auxprop plugins to use for authentication lookups." and that the default
is use the slapd internal support.

But I did not define this one, and sasl/slapd.conf still seems to be
ignored. And no possible values for the available plugins to use as
sasl-auxprops parameter are listed.


If you wish to use the sasldb database, specify the 'sasldb' auxprop plugin
(via sasl-auxprops/olcSaslAuxprops), and maintain your authentication
database with saslpasswd2.

I could get DIGEST-MD5 authentication working putting the password inside
the server (userPassword in CLEARTEXT), so it seems that the default is
used anyway. But I'd like to have it working using using sasldb or
configuring sasl/slapd.conf to use saslauthd.


pwcheck_method is honored within sasl/slapd.conf.

--
Dan White

Follow-Ups:
- Re: sasl-auxprop (and sasl/slapd.conf)
  - From: Simone Piccardi <piccardi@truelite.it>

References:
- sasl-auxprop (and sasl/slapd.conf)
  - From: Simone Piccardi <piccardi@truelite.it>

Prev by Date: Re: Searches with dereferncing causing high CPU load.
Next by Date: Re: slapd-meta
Index(es):
- Chronological
- Thread