RE: PROBLEM: can't use SASL to authentication openldap client

Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self

database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com" 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5

3. I use saslpasswd2 to create use and password.

Can you help to check this?

-----Original Message----- From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, June 24, 2010 1:07 AM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client

"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:

Hi, This is my comprehension:

1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client.

So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?

Sorry, my bad. I forgot that you use sasldb as an external authentication source. My remarks where based on an internal sasl authentication. Try to raise the debug level in sasl/slapd.conf, something like 'loglevel: 7'. If you use syslog, allow sasl to log to auth.

-Dieter