On Mon, Dec 17, 2012 at 11:08:11AM -0600, Dan White wrote:
You should not use the ldapdb auxprop plugin within slapd's sasl config. You should be using 'slapd' instead, which is the default (it's an internal auxprop plugin distributed with OpenLDAP).
If you are running version 2.4.17 or newer, the 'auxprop_plugin' option is ignored anyway
Right, I removed it, but it should not change anything. And indeed it does not change anything.
# su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \ -Y PLAIN -H ldaps://ldap.example.net'
That command doesn't make sense. '-U uid=someone,dc=example,dc=net' should be '-U someone' instead,
I trired that and got the same result.
and you should create new authz-regexp rules to map a sasl PLAIN identity of 'someone' to uid=someone,dc=example,dc=net.
I did this. With debug acl level, I can see that the uid=someone,dc=example,dc=net is tired for auth, but it fails.
You could also do: su -m someone -c 'ldapwhoami -Y EXTERNAL -H ldapi:///' with an appropriately written authz-regexp rule. 'someone' would need unix file permissions to access your ldapi unix socket.
That works, but what I am looking for is to get SASL PLAIN working over the network with TLS. I want to use authzid.