Hi,
I have a SASL pass-through authentication working when using a simple bind only on users that has a userPassword starting with {SASL}. When the users password contains {SASL}extraAuthInformation, the extraAuthInformation is passed on as username to the saslauthd and everything works as it should.
However, when using SASL/PLAIN all requests goes to the saslauthd, without passing the extra information found in userPassword. Another issue is that the username sent to saslauthd is the username entered by the user, not the dn found when rewriting the username with authz-regexp.
Is this by design or did I miss anything? Documentation states that pass-through should be working with SASL/PLAIN, but perhaps I misunderstood what it really meant?
On 03/08/13 21:16 +0100, Robin Helgelin wrote:
Hi,
I have a SASL pass-through authentication working when using a simple bind only on users that has a userPassword starting with {SASL}. When the users password contains {SASL}extraAuthInformation, the extraAuthInformation is passed on as username to the saslauthd and everything works as it should.
However, when using SASL/PLAIN all requests goes to the saslauthd, without passing the extra information found in userPassword. Another issue is that the username sent to saslauthd is the username entered by the user, not the dn found when rewriting the username with authz-regexp.
Is this by design or did I miss anything? Documentation states that pass-through should be working with SASL/PLAIN, but perhaps I misunderstood what it really meant?
pass-through does not utilize SASL/PLAIN. slapd performs a call to sasl_checkpass instead, as documented in 14.5 of the OpenLDAP Administrator's Guide.
When performing SASL authentication (PLAIN) you are delegating authentication to libsasl2. If using SASL PLAIN, the authentication identity and password provided by the client is passed to libsasl as is. It's up to saslauthd and its configured backend (in your scenario) to authenticate the user, after which you can make use of authz-regexp statements to map the authentication identity to a DN.
Robin Helgelin wrote:
Hi,
I have a SASL pass-through authentication working when using a simple bind only on users that has a userPassword starting with {SASL}. When the users password contains {SASL}extraAuthInformation, the extraAuthInformation is passed on as username to the saslauthd and everything works as it should.
However, when using SASL/PLAIN all requests goes to the saslauthd, without passing the extra information found in userPassword. Another issue is that the username sent to saslauthd is the username entered by the user, not the dn found when rewriting the username with authz-regexp.
Is this by design or did I miss anything? Documentation states that pass-through should be working with SASL/PLAIN, but perhaps I misunderstood what it really meant?
That's by design. The authz-regexp mapping is only used when the target credentials are stored in slapd. Since you're using SASL/PLAIN to actually talk to saslauthd, nothing inside slapd is relevant.
openldap-technical@openldap.org
-
Dan White -
Howard Chu -
Robin Helgelin