Rick Stevens wrote:
So, SASL is happy with an entry in the sasldb, but obviously that DN isn't in the LDAP database. So, I added an authz-regexp:
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=people,ou=People,dc=gbsbilling,dc=com
Now, ldapwhoami gives me:
[root@prophead ~]# ldapwhoami -w unix__gort SASL/DIGEST-MD5 authentication started SASL username: root SASL SSF: 128 SASL installing layers dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com Result: Success (0)
Isn't that grand! That's what I want (I think),
Is that really what you think? Look closely.
dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com
but it requires me to put an entry in the sasldb and I don't think that's necessary from what I gather from the docs. However, without it, I can't authenticate at all, and therefore can't even get to LDAP.
That being said, even that doesn't appear to be enough as I have an access rule:
access to attrs=userPassword by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write
And again, look closely.
by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write
by dn="cn=manager,dc=gbsbilling,dc=com" write by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write by anonymous auth by self write by * none
Pay attention to what you're doing.