Authenticating with LDAP tree ...

Craig White craigwhite at azapple.com
Mon Jul 13 12:42:36 EDT 2009


On Mon, 2009-07-13 at 08:18 +0200, Garry wrote:
> Hi,
> 
> I'm trying to authenticate users against an LDAP database ... now, I
> already have that running on several servers that use the "normal" tree
> setup, something like "cn=username,ou=somebranch,ou=domain,ou=tld", with
> a search_base of ou=domain,ou=tld. The place I'm trying to configure it
> for now is using a - AFAICT - rather unusal schema, as they have a tree
> that uses multiple top level o=, and start underneath there, so there
> may by user entries like
> 
> 	cn=user1,ou=USERS,o=branch1
> and	cn=user2,ou=USERS,o=branch2
> 
> (historically, ldap trees from several locations were just merged
> together, which led to this)
> 
> How can I get SASL to search in such a configuration? I already tried a
> "ou=USERS,o=*" syntax, which I didn't expect to work (and it didn't)
> 
> Also, I know that saslauthd or other apps will need to check the
> resulting username/pw, so I tried binding with the DN and PW of an
> account, resulting in a "Confidentiality required" ... using ldaps://
> notation didn't work, as the remote server (Novell eDirectory) probably
> isn't configured for that, and -Z for TLS also fails with
> 
> ldap_start_tls: Server is unavailable (52)
>         additional info: TLS services are not available
> 
> >From what I can find, the message should come up if the server is
> configured for requiring secure queries, but then I would expect it to
> also be configured to SUPPORT either one of the methods ...
> 
> Help appreciated,
----
I believe that to use ldap_tls, you have to configure the certs
properly. If you need to use sasl and not passwords embedded in ldap,
then this may not be of much use but you should be able to set

ldap_filter: (|(cn=%s,ou=USERS,o=branch1)(cn=%s,ou=USERS,o=branch2))

and leave the search base blank for multiple locations of users

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Info-cyrus mailing list