1:08 p.m.
Hi,
i have installed and configured openldap and so far, so good. But i
have a simple doubt.
Up to now, all users i have added to the ldap server have a field:
userPassword: {SASL}user@domain
I am connecting to retrieve the entry attributes with the following command:
ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b
uid=user,ou=people,dc=my,dc=domain
And everyting works ok.
My doubt is:
who is performing the password checking? The openldap server
daemon (slapd) ou the ldapsearch ?
Thanks in advance.
Regards,
Friedrich
1:41 p.m.
On 10/07/11 17:08 -0300, Friedrich Locke wrote:
Hi,
i have installed and configured openldap and so far, so good. But i
have a simple doubt.
Up to now, all users i have added to the ldap server have a field:
userPassword: {SASL}user@domain
I am connecting to retrieve the entry attributes with the following command:
ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b
uid=user,ou=people,dc=my,dc=domain
And everyting works ok.
My doubt is:
who is performing the password checking? The openldap server
daemon (slapd) ou the ldapsearch ?
When userPassword is configured with '{SASL}user@domain', you are using
SASL pass-through authentication. See section 14.5 (Pass-Through
authentication) of the OpenLDAP Administrator's Guide for documentation.
In such a scenario, authentication is ultimately handled by the libsasl2
glue layer, and is controlled by the configuration of your sasl slapd.conf
file, which is typically found in /usr/lib/sasl2/slapd.conf.
Presumably you've configured pass-through authentication because of a need
to authenticate against a saslauthd daemon (pwcheck_method: saslauthd).
--
Dan White
1:56 p.m.
Thanks for your response!
But who is doing the comunication with saslauthd, the slap daemon
process or the ldapsearch process ?
Thanks once more!
On Sun, Jul 10, 2011 at 5:41 PM, Dan White <dwhite(a)olp.net> wrote:
On 10/07/11 17:08 -0300, Friedrich Locke wrote:
>
> Hi,
>
> i have installed and configured openldap and so far, so good. But i
> have a simple doubt.
>
> Up to now, all users i have added to the ldap server have a field:
>
> userPassword: {SASL}user@domain
>
> I am connecting to retrieve the entry attributes with the following
> command:
>
> ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b
> uid=user,ou=people,dc=my,dc=domain
>
> And everyting works ok.
> My doubt is:
>
> who is performing the password checking? The openldap server
> daemon (slapd) ou the ldapsearch ?
When userPassword is configured with '{SASL}user@domain', you are using
SASL pass-through authentication. See section 14.5 (Pass-Through
authentication) of the OpenLDAP Administrator's Guide for documentation.
In such a scenario, authentication is ultimately handled by the libsasl2
glue layer, and is controlled by the configuration of your sasl slapd.conf
file, which is typically found in /usr/lib/sasl2/slapd.conf.
Presumably you've configured pass-through authentication because of a need
to authenticate against a saslauthd daemon (pwcheck_method: saslauthd).
--
Dan White
2:27 p.m.
On Sun, Jul 10, 2011 at 5:41 PM, Dan White <dwhite(a)olp.net>
wrote:
>> ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b
>> uid=user,ou=people,dc=my,dc=domain
>>
>> And everyting works ok.
>> My doubt is:
>>
>> who is performing the password checking? The openldap server
>> daemon (slapd) ou the ldapsearch ?
>
> When userPassword is configured with '{SASL}user@domain', you are using
> SASL pass-through authentication. See section 14.5 (Pass-Through
> authentication) of the OpenLDAP Administrator's Guide for documentation.
>
> In such a scenario, authentication is ultimately handled by the libsasl2
> glue layer, and is controlled by the configuration of your sasl slapd.conf
> file, which is typically found in /usr/lib/sasl2/slapd.conf.
>
> Presumably you've configured pass-through authentication because of a need
> to authenticate against a saslauthd daemon (pwcheck_method: saslauthd).
On 10/07/11 17:56 -0300, Friedrich Locke wrote:
Thanks for your response!
But who is doing the comunication with saslauthd, the slap daemon
process or the ldapsearch process ?
Thanks once more!
slapd will be communicating with saslauthd (or your configured
pwcheck_method) via libsasl2.
With your ldapsearch command, the dn and password will be transmitted in
clear text over the wire to your openldap/slapd server, for authentication,
unless you've configured ldaps or starttls encryption for protection.
--
Dan White
4055
days inactive
4055
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Dan White -
Friedrich Locke