Hi Dan.
Thank you for your information.
First of all, It is not important to use realm if ldap server could identify ldap_user@copnay_a.com and ldap_user@company_b.net
And your idea looks good. I'll check later.
and I'll report later.
1, My goal is to build ldap server like the following.
* Store multiple companies information in one ldap server. * Secure authentication (SASL/Kerberos, or SASL/Digest-MD5) * High availability SASL database. sasldb is just file, I would like to share user info with multiple machines.
2, My Plan
* LDAP DIT
ou=users,ou=company_a.com,dc=mydomain,dc=com # user DIT in company a
ou=users,ou=company_b.net,dc=mydomain,dc=com # user DIT in company B
* Secure Auth
Plan1) SASL(Digest-MD5 Authentication) user info : Store MySQL database
identify company_a user and company_b user with realm.
Plan2) SASL(GSSAPI Authentication) not test yet.
Thank you in your advice.
-- Hiroyuki Sato
2011/2/17 Dan White dwhite@olp.net:
On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
Thank you Dan.
I simplified test environment. (see below)
- Problem summary
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
To: Dan
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true?? I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
In your original post, you specified this command:
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)'
Did you specify '-R mydomain.com' in all the other examples?
I'm getting a little confused with which realm value we're talking about.
See the sasl_server_new(3) man page for a discussion of what sasl-host (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd config. I don't know what effect, if any, setting either value will have when using the digest-md5 mechanism.
In fact, in might simply things to drop the sasl realm (-R) altogether and capture the domain in the authentication identity (-U ldapuser@mydomain.com), if your environment supports it.
case1
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
Another way to approach this (without using realms):
sasl-regexp uid=([^@]+)@([^.]+).([^,]+),cn=.*,cn=auth uid=$1,ou=users,dc=$2,dc=$3
(and yes, I just broke my own rule about .*)
-- Dan White