Hi Gaurav
you show it yourself in the log output, that SASL is working OK with your LDAP Server: 1. The conversion from -U serviceusr to the DN uid=serviceusr,ou=system,o=bcs is OK, 2. (I presume) that the password of this DN was entered correctly with the ldapsearch command 3. according to your log output, the connection was established
suomi
On 02/13/2012 12:10 PM, Gaurav Gugnani wrote:
Hello Dan,
Thks a lot for making things worked.
I'm jotting down the steps which i executed to make SASL work:
*Steps to make SASL configuration working:*
1> Install the following packages: - cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm - cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
2> Create sasl2/slapd.conf vi /usr/lib64/sasl2/slapd.conf
[root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
3> Modify $LDAP_HOME/etc/openladp/slapd.conf password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
#ACL access to attrs="userpassword" by anonymous auth by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to dn.base="o=xyz" by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=serviceusr,ou=System,o=xyz" read by dn="uid=monitorusr,ou=System,o=xyz" read by dn="uid=replicator,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=serviceusr,ou=System,o=xyz" write by dn="uid=monitorusr,ou=System,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to dn.subtree="ou=System,o=xyz" by anonymous auth by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to * by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read
On execution of command: ldapsearch -Y DIGEST-MD5 -U serviceusr -b 'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'
Its clearly displaying in the log: ..... *conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs" mech=DIGEST-MD5 sasl_ssf=128 ssf=128 do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs" sasl_ssf=128* .....
Now, i wanted to confirm is these are the only steps Or Am i missing something? How do i confirm that SASL has been enabled and its working fine?
Plz provide some input on this.
Thanks and Regards, Gaurav Gugnani
On Thu, Feb 9, 2012 at 1:48 AM, Dan White <dwhite@olp.net mailto:dwhite@olp.net> wrote:
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote: Thks Dan, it worked. Now hopefully last query from my side (sorry to bother you so much) As i gave: access to dn.subtree="ou=System,o=xyz" by dn="uid=sasluser21,ou=System,__o=xyz" read by anonymous auth *So, will giving anonymous privilege any issue? * I read following: Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry). What is its impact, Please put some light on it? Chapter 8 of the OpenLDAP Administrator's Guide has more explanation. -- Dan White