Hi all,
I have setup an OpenLDAP server for users authenticating using SASL. The authz-regexp "converts" the SASL identity into a DN which is used only for authorization purposes - there are no real LDAP entries with these DNs. This setup works fine.
Now I have some LDAP client applications that only support simple authentication, but no SASL authentication. So I am looking for a way to "map" simple authentication to SASL authentication, e.g. when a user uses simple auth with DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should authenticate this user via SASL using username "user1" and the provided password.
I absolutely DO NOT WANT to create real LDAP entries for these users, because the user database is an external one accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I dont want to manage user accounts in two places :-)
Is this possible?
I already thought about using an "ldap"-backend to proxy simple-auth-connections, but I did not found a way to just "rewrite" the authentication information and make the proxy server using SASL with a username extracted from the simple auth DN...
Thanks and best regards -stefan-
Stefan Palme wrote:
I have setup an OpenLDAP server for users authenticating using SASL. The authz-regexp "converts" the SASL identity into a DN which is used only for authorization purposes
- there are no real LDAP entries with these DNs. This setup
works fine.
Now I have some LDAP client applications that only support simple authentication, but no SASL authentication. So I am looking for a way to "map" simple authentication to SASL authentication, e.g. when a user uses simple auth with DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should authenticate this user via SASL using username "user1" and the provided password.
I absolutely DO NOT WANT to create real LDAP entries for these users, because the user database is an external one accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I dont want to manage user accounts in two places :-)
Is this possible?
I already thought about using an "ldap"-backend to proxy simple-auth-connections, but I did not found a way to just "rewrite" the authentication information and make the proxy server using SASL with a username extracted from the simple auth DN...
The only way I see, apart from writing a custom layer (an overlay) to slapd, consists in populating the database with the users' entries, and set their userPassword to "{SASL}<saslname>" and configure slapd's SASL to auth them accordingly.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Tue, 2008-01-08 at 21:06 +0100, Pierangelo Masarati wrote:
Stefan Palme wrote:
Now I have some LDAP client applications that only support simple authentication, but no SASL authentication. So I am looking for a way to "map" simple authentication to SASL authentication, e.g. when a user uses simple auth with DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should authenticate this user via SASL using username "user1" and the provided password.
Is this possible?
The only way I see, apart from writing a custom layer (an overlay) to slapd, consists in populating the database with the users' entries, and set their userPassword to "{SASL}<saslname>" and configure slapd's SASL to auth them accordingly.
Thanks for this hint - until now I did not know the "password format" {SASL}. Will give it a try, because automatically creating a dummy LDAP entry for each existing user from my external database should be possible.
Regards -stefan-
openldap-technical@openldap.org
-
Pierangelo Masarati -
Stefan Palme