Penza Kenneth at MITA wrote:
I am using RHEL7 and openldap from LTB project(to test out SSHA password hashing). Currently I am having issues to configure SASL EXTERNAL auth. Maybe I am missing something, any pointers would be appreciated.
First of all you should always test with ldapwhoami command-line tool. It will show you the authc-DN and authz-DN.
For really using SASL/EXTERNAL you need authz-regexp statement(s) in slapd.conf or attribute olcAuthzRegexp in cn=config to map the authc-DN to a authz-DN.
See the man pages for details.
Example on my system:
$ ldapwhoami SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=michael ströder+mail=michael@stroeder.com,ou=private,dc=stroeder,dc=de
Based on this mapping:
dn: cn=config [..] olcAuthzRegexp: {1}"gidnumber=([0-9]+)+uidnumber=([0-9]+),cn=peercred,cn=ex ternal,cn=auth" "ldap:///dc=stroeder,dc=de??sub?(&(objectClass=posixAccount )(uidNumber=$2)(gidNumber=$1))"
Ciao, Michael.