Hi
Sorry again if this is the wrong place for OpenLDAP questions. I've got a
question about slapauth...
We don't have SASL support enabled. The immediate question is... does
slapauth require SASL support? (I've seen a bunch of SASL references in my
quest to find some slapauth examples on the web.)
So here's the only slapauth example i've been able to find
(repeatedly) ....
The command
/usr/local/sbin/slapauth
-f //usr/local/etc/openldap/slapd.conf -v \
-U bjorn -X u:bjensen
tests whether the user bjorn can assume the identity of the
user
bjensen provided the directives
authz-policy from
authz-regexp "^uid=([^,]+).*,cn=auth$"
"ldap:///dc=example,dc=net??sub?uid=$1"
are defined in slapd.conf(5).
I've read the authz-policy and authz-regexp descriptions in the slapd.conf
man page, but i'm relatively new to OpenLDAP, and admittedly don't
understand much of those descriptions.
I've been trying the following command, which i think should yield a
successful authorization, but the authorization fails.
/usr/local/sbin/slapauth -v -f /usr/local/etc/openldap/slapd.conf -U
"cn=BDB1man,o=BDB1" -X u:"cn=John Thayer,o=BDB1"
bdb_monitor_open: monitoring disabled; configure monitor database to enable
<= bdb_equality_candidates: (objectClass) not indexed
<= bdb_equality_candidates: (objectClass) not indexed
ID: <cn=BDB1man,o=BDB1>
authcDN: <uid=cn\3Dbdb1man\2Co\3Dbdb1,cn=auth>
authzDN: <uid=cn\3Djohn thayer\2Co\3Dbdb1,cn=auth>
authorization failed
"cn=BDB1man,o=BDB1" is my rootdn, and "cn=John Thayer,o=BDB1" is an entry
in the o=BDB1 tree.:
My database declaration in slapd.conf is as follows...
database bdb
suffix "o=BDB1"
rootdn "cn=BDB1man,o=BDB1"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw plop
timelimit 1
idletimeout 4
# The userPassword attribute is writeable by the entry itself and
# "StoogeAdmin". It may be used for authentication purposes, but
# is otherwise not readable
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=BDB1man,o=BDB1" write
by * none
# All other attributes are writeable by the entry itself and
# "StoogeAdmin", and may be read by all users
access to *
by self write
by dn.base="cn=BDB1man,o=BDB1" write
by * read
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index sn,mail,uid,title eq
So since i allow "cn=BDB1man,o=BDB1" write access to everything, i was
thinking he should be able to assume the identity of "cn=John
Thayer,o=BDB1", and the slapauth authorization should be allowed.
But if slapauth requires SASL support, then this whole thing is easily
explained. (that would be why the authorization is failing right?)
Thanks in advance for your help!