Hi, This is my comprehension: 1. The client is connecting to SLAPD requesting an SASL bind. 2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5. 3. The client sends the authentication information to SLAPD. 4. SLAPD performs the translation specified in authz-regexp. 5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2. 6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
-----Original Message----- From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of Dieter Kluenter Sent: Wednesday, June 23, 2010 3:33 AM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is the password hash has a length of 32bit, SASL requires plain text password in order to create a challange, a challange based on a 32bit string is different from a challange based on a plain text password string.
-Dieter