Hi!
i am trying to authenticate binding the DN below and it works nicely.
dn: uid=grios,ou=people,dc=ufv,dc=br uid: grios objectclass: organizationalrole objectclass: posixaccount cn: Gustavo Rios uidnumber: 2000 gidnumber: 2000 homedirectory: /home/grios userpassword: {SSHA}dWhcPjgDn4EGb/FwGMYbxx7fIqAuXCN7 loginshell: /bin/sh gecos: Gustavo V G C Rios,,,
But if i change userpassword attribute to {SASL}grios@UFV.BR it does not work when i bind the same DN above. Does anybody have an ideia about my mistaken ?
Thanks in advance.
Am Thu, 30 Jun 2011 14:59:40 -0300 schrieb Friedrich Locke friedrich.locke@gmail.com:
Hi!
i am trying to authenticate binding the DN below and it works nicely.
dn: uid=grios,ou=people,dc=ufv,dc=br uid: grios objectclass: organizationalrole objectclass: posixaccount cn: Gustavo Rios uidnumber: 2000 gidnumber: 2000 homedirectory: /home/grios userpassword: {SSHA}dWhcPjgDn4EGb/FwGMYbxx7fIqAuXCN7 loginshell: /bin/sh gecos: Gustavo V G C Rios,,,
But if i change userpassword attribute to {SASL}grios@UFV.BR it does not work when i bind the same DN above. Does anybody have an ideia about my mistaken ?
Frankly, I don't understand what you are trying to do. You either bind by means of simple bind (which is DN and password), or by a sasl based strong bind. In order to use a strong bind you have several choices, either openldap's own sasl framework or an external mechanism that provides authentication. In order to use SASL authentication by means of openldap's sasl framework i.e. password and uid based credentials, the stored userPassword attribute value has to be cleartext, otherwise it is not possible to create an apropriate challenge.
-Dieter
--On Thursday, June 30, 2011 10:22 PM +0200 Dieter Kluenter dieter@dkluenter.de wrote:
Frankly, I don't understand what you are trying to do. You either bind by means of simple bind (which is DN and password), or by a sasl based strong bind. In order to use a strong bind you have several choices, either openldap's own sasl framework or an external mechanism that provides authentication. In order to use SASL authentication by means of openldap's sasl framework i.e. password and uid based credentials, the stored userPassword attribute value has to be cleartext, otherwise it is not possible to create an apropriate challenge.
Not true with SASL/GSSAPI. In that case, there should be *no* userPassword attribute at all.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Dieter Kluenter -
Friedrich Locke -
Quanah Gibson-Mount