sasl ldap simple bind request
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Jul 17 12:19:27 EDT 2008
On Jul 17, 2008, at 5:18 AM, George Forman wrote:
> > George Forman wrote:
> > > Based on my testing of saslauthd using ldap for authentication,
> the bind
> > > and the fastbind
> > > configuration doesn't support my needs.
> > > It appears in the bind method, an anonymous bind is first
> completed,
> > > then a ldap search is
> > > requested looking for the user's DN. Once the DN is returned, a
> second
> > > simple bind request
> > > is sent using the user's DN, uid and password.
> > > I tried the fastbind but it seemed to try to bind using the
> password
> > > specified in saslauthd.conf
> > > and then did an ldap search. If I remove the ldap_bind_pw, it
> does an
> > > anonymous bind which
> > > doesn't meet my requirements.
> > >
> > >
> > > I need to do a simple ldap bind using the user's credentials and
> the
> > > password provided.
> >
> > saslauthd cannot do an LDAP Simple Bind until it has mapped the
> user's name to
> > an LDAP DN. So it always needs to do a search first, to perform
> this mapping.
> >
> > > Is creating a new plugin my best option?
> >
> > Is there a specific reason you need to use saslauthd? Does your
> LDAP server
> > support SASL authentication? If so, try using the ldapdb auxprop
> instead.
> >
> Please excuse my ignorance, I'm just getting spun up on this project.
> I have been asked to see if we can use postfix. We have a service
> with a
> rudimentary ldap front end which just accepts a simple bind request
> converts it into an internal lookup.
> I have been told the ldap front end does not support ldap search.
I expect that's not exactly true.
For LDAP you need to have a search base, a search scope, and a filter
(which may be NULL, or match anything). The search base is
effectively the specification for which database you are doing the
lookup in. Since data is hierarchical, the scope can say "one", or
"sub" according to whether you want to search the whole subtree or
not. If you happen to have the full DN, you can specify scope of
"base" to just get the single record directly.
> To add to my problem, we have several
> email address domains so for each request the DN must be different.
> The rudimentary ldap front requires the DN
> to be something like uid=,ou=poeple,dc=,dc=,dc=. I must use the
> email address's domain name to create the DN's dc= values
It sounds like you need to construct the search base according to the
email domain. I'm guessing these different domains are hosted on
different LDAP servers. I'm not sure if the configuration allows you
to vary those things on a per-authentication basis, and I'll punt to
the list, or the documentation for the rest of your answer.
> before I send the simple bind request, therefore, I can't configure
> the ldap_bind_dn because I can't express it like the ldap_filter.
> (ie ldap_filter: uid=%U,ou=people,dc=%9...dc=%1).
>
> Is there a way I can create a custom ldap bind request without
> having to modify the code?
>
> With Windows Live for mobile, your contacts travel with you. Connect
> on the go.
More information about the Cyrus-sasl
mailing list