lemons_terry@emc.com wrote:
Thanks, as ever, for the help, Kyle.
I started slapd in debug mode. When I executed the command you suggested, I see:
ldap_err2string <= ldap_dn2bv(uid=root,cn=digest-md5,cn=auth)=0 Success <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth to a DN slap_sasl_regexp: converting SASL name uid=root,cn=digest-md5,cn=auth <==slap_sasl2dn: Converted SASL name to <nothing> SASL [conn=12] Failure: no secret in database
So, the good news is that "uid=root,cn=digest-md5,cn=auth" does look correct. But I then see "Converted SASL name to <nothing>". Here are the final lines in my /etc/openldap/slapd.conf:
# SASL options password-hash {cleartext} authz-regexp uid=(.*),cn=tivo2.backup,cn=digest-md5,cn=auth uid=tlemons authz-regexp uid=(.*),cn=digest-md5,cn=auth uid=tlemons tivo2:~ #
I thought that the first authz-regexp line would have mapped any account to uid-tlemons, but this apparently didn't happen.
Also, when is the information in sasldb2 used? It looks to me like it isn't, and that authentication is occurring against entries that should be in the LDAP database itself?
It is used as far as sasldb2 is populated as appropriate; please refer to Cyrus SASL documentation for instructions about populating it.
As soon as you get to authz-regexp mapping, credential are being looked up in the directory. Is "uid=tlemons" a valid DN in your DIT? I mean: does it resolve to an existing entry?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------