SASL + LDAP

Dan White dwhite at olp.net
Thu Apr 15 10:42:25 EDT 2010


On 15/04/10 15:33 +0200, Giovanni Malfarà wrote:
>In slapd (slapd -d -1) debug messages I get:
>
>SASL [conn=7] Debug: DIGEST-MD5 server step 2
>slap_sasl_getdn: u:id converted to
>uid=test at mycompany.it,cn=DIGEST-MD5,cn=auth
>>>> dnNormalize: <uid=test at mycompany.it,cn=DIGEST-MD5,cn=auth>
><<< dnNormalize: <uid=test at mycompany.it,cn=digest-md5,cn=auth>
>==>slap_sasl2dn: converting SASL name
>uid=test at mycompany.it,cn=digest-md5,cn=auth to a DN
>slap_authz_regexp: converting SASL name
>uid=test at mycompany.it,cn=digest-md5,cn=auth
><==slap_sasl2dn: Converted SASL name to <nothing>
>SASL [conn=7] Failure: no secret in database

I have a similar configuration to your's except that I use the authz-regexp
and authz-policy statements instead of what you have. I'm using version
2.4.15:

authz-regexp
   "uid=([^,]+),cn=([^,]+),cn=auth"
   ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended)))

authz-policy to

(btcAltUID and btcAccountStatus are non-standard attributes)

This looks alarming:

access to * attrs=userPassword by self write by * write

I have (slightly modified):

access to
attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key
         by anonymous auth
         by self write
         by * none

-- 
Dan White


More information about the Cyrus-sasl mailing list