Hi
Sorry again if this is the wrong place for OpenLDAP questions. I've got a question about slapauth...
We don't have SASL support enabled. The immediate question is... does slapauth require SASL support? (I've seen a bunch of SASL references in my quest to find some slapauth examples on the web.)
So here's the only slapauth example i've been able to find (repeatedly) ....
The command
/usr/local/sbin/slapauth -f //usr/local/etc/openldap/slapd.conf -v \ -U bjorn -X u:bjensen
tests whether the user bjorn can assume the identity of the user bjensen provided the directives
authz-policy from authz-regexp "^uid=([^,]+).*,cn=auth$" "ldap:///dc=example,dc=net??sub?uid=$1"
are defined in slapd.conf(5).
I've read the authz-policy and authz-regexp descriptions in the slapd.conf man page, but i'm relatively new to OpenLDAP, and admittedly don't understand much of those descriptions.
I've been trying the following command, which i think should yield a successful authorization, but the authorization fails.
/usr/local/sbin/slapauth -v -f /usr/local/etc/openldap/slapd.conf -U "cn=BDB1man,o=BDB1" -X u:"cn=John Thayer,o=BDB1" bdb_monitor_open: monitoring disabled; configure monitor database to enable <= bdb_equality_candidates: (objectClass) not indexed <= bdb_equality_candidates: (objectClass) not indexed ID: <cn=BDB1man,o=BDB1> authcDN: <uid=cn\3Dbdb1man\2Co\3Dbdb1,cn=auth> authzDN: <uid=cn\3Djohn thayer\2Co\3Dbdb1,cn=auth> authorization failed
"cn=BDB1man,o=BDB1" is my rootdn, and "cn=John Thayer,o=BDB1" is an entry in the o=BDB1 tree.:
My database declaration in slapd.conf is as follows...
database bdb suffix "o=BDB1" rootdn "cn=BDB1man,o=BDB1" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw plop timelimit 1 idletimeout 4 # The userPassword attribute is writeable by the entry itself and # "StoogeAdmin". It may be used for authentication purposes, but # is otherwise not readable access to attrs=userPassword by self write by anonymous auth by dn.base="cn=BDB1man,o=BDB1" write by * none # All other attributes are writeable by the entry itself and # "StoogeAdmin", and may be read by all users access to * by self write by dn.base="cn=BDB1man,o=BDB1" write by * read # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index sn,mail,uid,title eq
So since i allow "cn=BDB1man,o=BDB1" write access to everything, i was thinking he should be able to assume the identity of "cn=John Thayer,o=BDB1", and the slapauth authorization should be allowed.
But if slapauth requires SASL support, then this whole thing is easily explained. (that would be why the authorization is failing right?)
Thanks in advance for your help!