On Sun, Jul 10, 2011 at 5:41 PM, Dan White dwhite@olp.net wrote:
ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b uid=user,ou=people,dc=my,dc=domain
And everyting works ok. My doubt is:
who is performing the password checking? The openldap server daemon (slapd) ou the ldapsearch ?
When userPassword is configured with '{SASL}user@domain', you are using SASL pass-through authentication. See section 14.5 (Pass-Through authentication) of the OpenLDAP Administrator's Guide for documentation.
In such a scenario, authentication is ultimately handled by the libsasl2 glue layer, and is controlled by the configuration of your sasl slapd.conf file, which is typically found in /usr/lib/sasl2/slapd.conf.
Presumably you've configured pass-through authentication because of a need to authenticate against a saslauthd daemon (pwcheck_method: saslauthd).
On 10/07/11 17:56 -0300, Friedrich Locke wrote:
Thanks for your response!
But who is doing the comunication with saslauthd, the slap daemon process or the ldapsearch process ?
Thanks once more!
slapd will be communicating with saslauthd (or your configured pwcheck_method) via libsasl2.
With your ldapsearch command, the dn and password will be transmitted in clear text over the wire to your openldap/slapd server, for authentication, unless you've configured ldaps or starttls encryption for protection.