9:46 a.m.
Hi all,
I have setup an OpenLDAP server for users authenticating
using SASL. The authz-regexp "converts" the SASL identity
into a DN which is used only for authorization purposes
- there are no real LDAP entries with these DNs. This setup
works fine.
Now I have some LDAP client applications that only support
simple authentication, but no SASL authentication. So I am
looking for a way to "map" simple authentication to SASL
authentication, e.g. when a user uses simple auth with
DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should
authenticate this user via SASL using username "user1"
and the provided password.
I absolutely DO NOT WANT to create real LDAP entries for
these users, because the user database is an external one
accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I
dont want to manage user accounts in two places :-)
Is this possible?
I already thought about using an "ldap"-backend to proxy
simple-auth-connections, but I did not found a way to just
"rewrite" the authentication information and make the proxy
server using SASL with a username extracted from the simple
auth DN...
Thanks and best regards
-stefan-
12:06 p.m.
Stefan Palme wrote:
I have setup an OpenLDAP server for users authenticating
using SASL. The authz-regexp "converts" the SASL identity
into a DN which is used only for authorization purposes
- there are no real LDAP entries with these DNs. This setup
works fine.
Now I have some LDAP client applications that only support
simple authentication, but no SASL authentication. So I am
looking for a way to "map" simple authentication to SASL
authentication, e.g. when a user uses simple auth with
DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should
authenticate this user via SASL using username "user1"
and the provided password.
I absolutely DO NOT WANT to create real LDAP entries for
these users, because the user database is an external one
accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I
dont want to manage user accounts in two places :-)
Is this possible?
I already thought about using an "ldap"-backend to proxy
simple-auth-connections, but I did not found a way to just
"rewrite" the authentication information and make the proxy
server using SASL with a username extracted from the simple
auth DN...
The only way I see, apart from writing a custom layer (an overlay) to
slapd, consists in populating the database with the users' entries, and
set their userPassword to "{SASL}<saslname>" and configure slapd's
SASL
to auth them accordingly.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
11:13 p.m.
On Tue, 2008-01-08 at 21:06 +0100, Pierangelo Masarati wrote:
Stefan Palme wrote:
> Now I have some LDAP client applications that only support
> simple authentication, but no SASL authentication. So I am
> looking for a way to "map" simple authentication to SASL
> authentication, e.g. when a user uses simple auth with
> DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should
> authenticate this user via SASL using username "user1"
> and the provided password.
>
> Is this possible?
>
The only way I see, apart from writing a custom layer (an overlay) to
slapd, consists in populating the database with the users' entries, and
set their userPassword to "{SASL}<saslname>" and configure slapd's
SASL
to auth them accordingly.
Thanks for this hint - until now I did not know the "password format"
{SASL}. Will give it a try, because automatically creating a dummy LDAP
entry for each existing user from my external database should be
possible.
Regards
-stefan-
--
-------------------------------------------------------------------
Dipl. Inf. (FH) Stefan Palme
email: kleiner(a)hora-obscura.de
www: http://hbci4java.kapott.org
http://converter-db.de
icq: 36376278
fax: +49 1212 517956219
mobil: +49 178 3227887
key fingerprint: 1BA7 D217 36A1 534C A5AD F18A E2D1 488A E904 F9EC
-------------------------------------------------------------------
5552
days inactive
5554
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Pierangelo Masarati -
Stefan Palme