SASL + LDAP

[Dan White]

On 13/04/10 13:38 +0200, Giovanni Malfarà wrote:
>I have the following /etc/saslauthd.conf
>
>ldap_server: ldap://"my server address" :389
>ldap_bind_dn: cn=Manager,dc=mycompany,dc=it
>ldap_search_base: ou=People,dc=mycompany,dc=it
>ldap_filter: (objectClass=inetOrgPerson)
>ldap_use_sasl: yes
>ldap_bind_pw: "my passwd in SSHA"
>ldap_auth_method: bind

from LDAP_SASLAUTHD:

ldap_bind_pw: <none>
         Alias for ldap_password.

ldap_password: <none>
         Specify the password for ldap_bind_dn or ldap_id if
         ldap_use_sasl is turned on.  Do not specify this parameter for the
         anonymous bind.

Which implies that you need to use an ldap_id rather than ldap_bind_dn,
when using ldap_use_sasl.

Also:

ldap_auth_method: <bind|fastbind> <bind|custom|fastbind>
         Specify an authentication method.

     The bind method uses the LDAP bind facility to verify the password.
     The bind method is not available when ldap_use_sasl is turned on.
     In that case saslauthd will use fastbind.

So assuming you don't want to use the custom method, your config looks
like:

ldap_servers: ldap://ldap.example.net/
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5

Or whatever mech you want to use. The fastbind auth method appears to just
do a sasl bind with the credentials supplied by the user.

>ldap_verbose: on
>ldap_debug: 10
>ldap_version: 3

Interesting. ldap_debug is in the source but not documented in
LDAP_SASLAUTHD. Works great.

-- 
Dan White