Hi, I have read slapd.conf(5) on authz-policy, and I'm confusing now. And I find that I give you the incorrect slapd.conf, now the correct one is below: nclude /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) #binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com" there is no proxy.
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 3:55 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com") slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0
[...]
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy authorization, but you have not defined such in slapd.conf. Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo attribute types.
-Dieter