slapd: The reverse of "authz-regexp": From Bind-DN to SASL authentication: Is it possible?
The slapd.conf option "authz-regexp", according to man page is...:
Used by the authentication framework to convert simple user names, such as provided by SASL subsystem, to an LDAP DN used for authorization purposes.
I am searching how to do the exact reverse thing, and I haven't found an option for it. Specifically, I would like to convert the LDAP dn provided in a simple LDAP bind, to an authentication token (userid, realm, password) that would be passed to the SASL subsystem for the purposes of authentication. The SASL subsystem would then be responsible to do the authentication, just as if SASL authentication ('-Y') were used.
Am I correct in assuming that this functionality currently does not exist?
Alexandros Vellis
At 02:14 AM 12/22/2006, Alexandros Vellis wrote:
The slapd.conf option "authz-regexp", according to man page is...:
Used by the authentication framework to convert simple user names, such as provided by SASL subsystem, to an LDAP DN used for authorization purposes.
I am searching how to do the exact reverse thing, and I haven't found an option for it.
Becaues the exact reverse thing doesn't exist.
However, you might look at using the {SASL} userPassword scheme. See http://www.openldap.org/faq/index.cgi?file=944. Note that while this FAQ answer is written from a Kerberos perspective, the mechanism works just fine with various other Cyrus SASL saslauthd(8) configurations.
"Kurt" == Kurt D Zeilenga Kurt@OpenLDAP.org writes:
Kurt> At 02:14 AM 12/22/2006, Alexandros Vellis wrote: >> The slapd.conf option "authz-regexp", according to man page >> is...: >> >> Used by the authentication framework to convert simple user >> names, such as provided by SASL subsystem, to an LDAP DN used >> for authorization purposes. >> >> I am searching how to do the exact reverse thing, and I haven't >> found an option for it.
Kurt> Becaues the exact reverse thing doesn't exist.
Kurt> However, you might look at using the {SASL} userPassword Kurt> scheme. See Kurt> http://www.openldap.org/faq/index.cgi?file=944. Note that Kurt> while this FAQ answer is written from a Kerberos Kurt> perspective, the mechanism works just fine with various Kurt> other Cyrus SASL saslauthd(8) configurations.
Or have a look at http://bayour.com/LDAPv3-HOWTO.html. It deals with just this sort of thing...
openldap-software@openldap.org
-
Alexandros Vellis -
Kurt D. Zeilenga -
Turbo Fredriksson