SASL + LDAP

Giovanni Malfarà giovanni.malfara at gmail.com
Fri Apr 16 16:45:51 EDT 2010 

On 04/15/2010 04:42 PM, Dan White wrote:
> On 15/04/10 15:33 +0200, Giovanni Malfarà wrote:
>> In slapd (slapd -d -1) debug messages I get:
>>
>> SASL [conn=7] Debug: DIGEST-MD5 server step 2
>> slap_sasl_getdn: u:id converted to
>> uid=test at mycompany.it,cn=DIGEST-MD5,cn=auth
>>>>> dnNormalize: <uid=test at mycompany.it,cn=DIGEST-MD5,cn=auth>
>> <<< dnNormalize: <uid=test at mycompany.it,cn=digest-md5,cn=auth>
>> ==>slap_sasl2dn: converting SASL name
>> uid=test at mycompany.it,cn=digest-md5,cn=auth to a DN
>> slap_authz_regexp: converting SASL name
>> uid=test at mycompany.it,cn=digest-md5,cn=auth
>> <==slap_sasl2dn: Converted SASL name to <nothing>
>> SASL [conn=7] Failure: no secret in database
>
> I have a similar configuration to your's except that I use the
> authz-regexp
> and authz-policy statements instead of what you have. I'm using version
> 2.4.15:
>
> authz-regexp
>   "uid=([^,]+),cn=([^,]+),cn=auth"
>  
> ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended)))
>
>
> authz-policy to
>
> (btcAltUID and btcAccountStatus are non-standard attributes)
>
> This looks alarming:
>
> access to * attrs=userPassword by self write by * write
>
> I have (slightly modified):
>
> access to
> attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key
>
>         by anonymous auth
>         by self write
>         by * none
>
Nothing happens using authz-regexp and auth-policy and modifying the
access rule.

What else can I check?

Thank you!


-- 
Giovanni Malfarà

Per favore non mandatemi allegati in Word o PowerPoint.
Si veda http://www.gnu.org/philosophy/no-word-attachments.it.html 

"Ciò che conta in guerra non sono gli uomini, è l'uomo cioè il soldato che sa battersi fino in fondo, difendendo un pezzo di terra o, contro ogni logica, un brandello di idea". (Napoleone Bonaparte).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: giovanni_malfara.vcf
Type: text/x-vcard
Size: 181 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20100416/fec332cd/attachment.vcf

More information about the Cyrus-sasl mailing list