Seau Yeen Su wrote:
- After using saslpasswd2 to create the username and password in sasl
database, do i need to add the entry into ldap database with slappasswd command? When i used slapadd command and it prompts for password, does it authenticate against sasl database or ldap database?
I assume you're talking about SASL bind with password-based mechs.
It depends whether you want in-directory passwords (mainly userPassword with clear-text password as attribute value) or not.
- Do i need to issue saslpasswd2 for each and every user that i want to
add into ldap database and to be authenticated via ldap?
Only if you don't store the passwords in the directory.
- In the slapd.conf file, under rootpw, am i supposed to use the word
"secret" or the cleartext password that i keyed in using saslpasswd2 or some encrypted password?
As values for attribute userPassword rootpw can be hashed or clear-text. If you also want to bind as rootdn with SASL bind with mech CRAM-MD5 or DIGEST-MD5 then it has to be clear-text. Otherwise it can be hashed (e.g. generated/hashed with command-line tool slappasswd).
- What is the difference between sasl-regexp and authz-regexp?
authz-regexp is the recent keyword in slapd.conf for this.
Example:
authz-regexp "uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5),cn=auth" "ldap:///ou=schulung??sub?(uid=$1)"
- Let's say i issued saslpasswd2 -c admin to create admin as the LDAP
administrator. Does this mean in the slapd.conf, the rootdn should be admin or can it be another name, that will be mapped via sasl-regexp/authz-regexp? (Which does it use anyway between these 2 : sasl-regexp & authz-regexp?)
SASL bind with digest password mech only knows a plain user-ID. So you need an appropriate authz-regexp in slapd.conf to map it to a DN of an existing entry.
- Previously I set up without sasl and it was rather straightforward,
merely using slappasswd and save the encyrpted pasword into slapd.conf.
If you used a hashed password in rootpw and you did nothing else then I doubt you could use that with SASL/DIGEST-MD5 bind.
Don't forget to double check the access control rule for userPassword. Should contain a clause to grant auth access to anyone.
Example:
access to attrs=userPassword by group="cn=Password Admins,ou=Groups,ou=schulung" =wx by self =wx by * =x
Ciao, Michael.