SASL + LDAP
Dan White
dwhite at olp.net
Thu Apr 15 10:42:25 EDT 2010
On 15/04/10 15:33 +0200, Giovanni Malfarà wrote:
>In slapd (slapd -d -1) debug messages I get:
>
>SASL [conn=7] Debug: DIGEST-MD5 server step 2
>slap_sasl_getdn: u:id converted to
>uid=test at mycompany.it,cn=DIGEST-MD5,cn=auth
>>>> dnNormalize: <uid=test at mycompany.it,cn=DIGEST-MD5,cn=auth>
><<< dnNormalize: <uid=test at mycompany.it,cn=digest-md5,cn=auth>
>==>slap_sasl2dn: converting SASL name
>uid=test at mycompany.it,cn=digest-md5,cn=auth to a DN
>slap_authz_regexp: converting SASL name
>uid=test at mycompany.it,cn=digest-md5,cn=auth
><==slap_sasl2dn: Converted SASL name to <nothing>
>SASL [conn=7] Failure: no secret in database
I have a similar configuration to your's except that I use the authz-regexp
and authz-policy statements instead of what you have. I'm using version
2.4.15:
authz-regexp
"uid=([^,]+),cn=([^,]+),cn=auth"
ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended)))
authz-policy to
(btcAltUID and btcAccountStatus are non-standard attributes)
This looks alarming:
access to * attrs=userPassword by self write by * write
I have (slightly modified):
access to
attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key
by anonymous auth
by self write
by * none
--
Dan White
More information about the Cyrus-sasl
mailing list