Seau Yeen Su seauyeen@mgrc.com.my writes:
Hi Michael, thank you so much for your respond.
- Yes, i am talking about SASL bind with password-based mechs. What do you
mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes? Can you give an example? It should be in slapd.conf, i assume.
No, userPassword is an attribute type.
- Again, what do you mean by the directory? What is the best practice if i
want to implement SASL bind with my openldap? Can you advise please.
1. add the following attribute to cn=config olcAuthzRegexp:{0}"uid=(.*),cn=.*,cn=auth" "ldap:///dc=example,dc=com??sub?uid=$1"
2. SASL requires the attribute type 'uid', if your user entries don't have this attribute assigned to, add it, this may require the additional objectclass uidobject if your user entries do not belong to objectclass inetOrgPerson
3. In order to verify the SASL mechanism challenge, the value of userPassword has to be plaintext. To ensure this add something like olcPasswordHash: {CLEARTEXT} to cn=config
3. Try something like 'ldapwhoami -Y digest-md5 -U someUser -w secret -H ldap://your.host' The result should be the DN of someUser
[...]