[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL auth issues

To: Penza Kenneth at MITA <kenneth.penza@gov.mt>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: Re: SASL EXTERNAL auth issues
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 23 Feb 2016 08:58:04 +0100
In-reply-to: <272B65C17A3C8D4FB771DE5AF5ACBD863AC7C749@EXH01-LK.email.local>
References: <272B65C17A3C8D4FB771DE5AF5ACBD863AC7C749@EXH01-LK.email.local>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 SeaMonkey/2.40

Penza Kenneth at MITA wrote:
> I am using RHEL7 and openldap from LTB project(to test out SSHA password
> hashing). Currently I am having issues to configure SASL EXTERNAL auth. Maybe
> I am missing something, any pointers would be appreciated.

First of all you should always test with ldapwhoami command-line tool. It will
show you the authc-DN and authz-DN.

For really using SASL/EXTERNAL you need authz-regexp statement(s) in slapd.conf
or attribute olcAuthzRegexp in cn=config to map the authc-DN to a authz-DN.

See the man pages for details.

Example on my system:

$ ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=michael ströder+mail=michael@stroeder.com,ou=private,dc=stroeder,dc=de

Based on this mapping:

dn: cn=config
[..]
olcAuthzRegexp: {1}"gidnumber=([0-9]+)\+uidnumber=([0-9]+),cn=peercred,cn=ex
 ternal,cn=auth" "ldap:///dc=stroeder,dc=de??sub?(&(objectClass=posixAccount
 )(uidNumber=$2)(gidNumber=$1))"

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- SASL EXTERNAL auth issues
  - From: Penza Kenneth at MITA <kenneth.penza@gov.mt>

Prev by Date: SASL EXTERNAL auth issues
Next by Date: RE: SASL EXTERNAL auth issues
Index(es):
- Chronological
- Thread