Fernando Torrez fernando_torrez@hotmail.com writes:
Hi all Thanks for all your suggestions
I tried the suggested command (thanks Moorthi): ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I with no success. I got this error:
firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I SASL/DIGEST-MD5 authentication started SASL Interaction Default: u:test Please enter your authorization name: test Default: proxyuser Please enter your authentication name: proxyuser Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: unable authorization ID
(Logs are at the bottom of this mail for details)
I also realized that the logs changed almost nothing either the command below is running or not:
saslauthd -d -V -a ldap -r -O /etc/saslauthd.confso I can say that unfortunately there's no comunication between SASLAUTHD and LDAP.
Now I will try the suggestion to separate saslauthd and ldapdb (thanks Dieter)
But I'm still wondering if there's a way to work ldap server and cyrus-sasl together. Let's be more accuratte
1.- Connect to ldap server throught cyrus-sasl (let's say authenticated/ authorized proxyuser connected to ldap server) 2.- Once connected to the ldap server, authenticate/authorize other user (or any object ) saved on ldap server using previous connection done in step 1
Is that posible? Or, Am I driving crazy for nothing?
[...]
Is there any particular reason to include an external identiy provider deamon like saslauthd? Why don't you just use build in sasl functions? As I already mentioned:
1. create plaintext userPasswords, 2. configure authz-regexp to map sasl authentication string to an entry, (man slapd.conf(5)) 3. add to /etc/sasl2/slapd.conf 'auxprop_plugin: slapd' 4. test whith ldapwhoami
If you want additonal proxy authentication 1. add a auth-policy to slapd.conf 2. add authzTo attribute and appropriate value to a proxy user entry, 3. test with ldapwhoami -X u:<proxy-user> -U <user> -Y <mechanism>
-Dieter