Buchan Milne wrote:
But, SASL authentication does not use a DN, but a username (as provided in the example Dieter gave you above). And you would need to have configured slapd to map a SASL identity to a DN for the bind to succeed.
I have an authz-regexp that maps SASL's 'uid=burianj,cn=plain,cn=auth' to 'uid=burianj,ou=people,dc=cqcb', which is the DN in my LDAP database, which appears to be working, based on my logs.
Dieter Kluenter wrote:
Did you create the password using any hashing method? Or is it plaintext?
The password is stored in LDAP as a {CRYPT}. I loaded the LDAP database using LDIF files created with the Migration Tools scripts (I don't know that those scripts are part of OpenLDAP, but they come packaged in Red Hat's OpenLDAP RPM). The users are stored as, at least, PosixAccount objects.
TechnoSophos wrote:
Since /etc/sasldb2 typically has strict permissions, this might be a permissions problem... or maybe the file doesn't exist.
The Cyrus-SASL docs make it sound like SASL, when built into OpenLDAP, will make the appropriate LDAP calls to read the configured LDAP database (in my case, BDB). Does SASL/PLAIN authentication require some outside agent to work (either a separate sasldb, or to route auth requests through saslauthd)? I'd rather keep all my user information in LDAP, as opposed to maintaining separate databases.
John