Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using. Thanks for your response, It helps me a lot.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 2:26 PM To: LI Ji D Cc: Dan White; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D wrote:
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd,
run
/usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com.
Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the
log of slapd:
<==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to
cn=admin,ou=people,dc=example,dc=com
Segmentation fault
Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd.
In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi,
My problem is that I expect slapd to authenticate with the
password
stored in sasldb. But it's not, it uses the password stored in
userpassword
attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb to
do the
sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin
to sasldb
did not provide the expected response. Regardless of whether I set
it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything
in
particular with SASL configuration. If you can't get the desired
behavior
by setting the SASL config file, then file a bug against Cyrus
SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
found the insertion of a SASL_CB_GETOPT function which replaces
whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never
occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/