On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
Thank you Dan.
I simplified test environment. (see below)
- Problem summary
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
To: Dan
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true?? I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
In your original post, you specified this command:
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)'
Did you specify '-R mydomain.com' in all the other examples?
I'm getting a little confused with which realm value we're talking about.
See the sasl_server_new(3) man page for a discussion of what sasl-host (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd config. I don't know what effect, if any, setting either value will have when using the digest-md5 mechanism.
In fact, in might simply things to drop the sasl realm (-R) altogether and capture the domain in the authentication identity (-U ldapuser@mydomain.com), if your environment supports it.
case1
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
Another way to approach this (without using realms):
sasl-regexp uid=([^@]+)@([^.]+).([^,]+),cn=.*,cn=auth uid=$1,ou=users,dc=$2,dc=$3
(and yes, I just broke my own rule about .*)