Auth with ldapdb [auf Viren überprüft]

[Dieter Kluenter]

Hi,

Hans Moser <hans.moser at ofd-sth.niedersachsen.de> writes:

> Hi!
>
> 1. Chapter - "as is"

> 2. Chapter "ldapdb"
> = There is an ldap-user cn=human,ou=mgr,o=foo, who should do the
> authtifications. The real users are in ou=humans,o=foo.
> = TLS works with ldap. I could ldapsearch with "-Z -x"
> - I changed imapd.conf to
> # sasl_pwcheck_method: saslauthd
> sasl_pwcheck_method: auxprob
> sasl_auxprob_plugin: ldapdb
> sasl_ldapdb_uir: ldap://sartre.ador.no
> sasl_ldapdb_id: cn=human,ou=mgr,o=foo
> sasl_ldapdb_pw: secret
> sasl_ldapdb_mech: PLAIN
> # sasl_ldapdb_mech: DIGEST-MD5
> sasl_ldapdb_starttls: Demand
> sasl_ldap_search_base: ou=humans,o=foo
> sasl_ldap_search_filter: uid=%U
> - I added authzTo attribute to cn=human,ou=mgr,o=foo in my ldap
> - I added authzTo-Policy in slapd.conf to map cn=human,... in
> ou=humans,o=foo.
> - I stuck. I don't see anything going on, when I try to log in.

Although this is more an openldap issue, you should add sasl-regex to
slapd.conf in order to map the sasl authentication string to an entry.

> 3. Chapter "The questions"
> a) How to test with ldapsearch, what cyrus with ldapdb does?

ldapwhoami

> b) Is sasl_ldapdb_id a SASL-id (cn=.*,cn=auth) or a ldap-id?

You may consider it a sasl uid.

> c) sasl_ldapdb_mech - If possible, all mech should be PLAIN or with
> hashed passwords.

If you are referring to the entries userPassword attribute value, this
could be hashed if you only require PLAIN mechanism, but note that
openldap will refuse a PLAIN mechanism if the data transport is not
secured,i.e. either starttls or ldapi.
 
> d) How to see what's going on? Logging?

yes, define an appropriate loglevel in slapd.conf, 384 (128+256) for
example.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html