Re: ApacheDs - DIGEST-MD5

Wed, 18 Feb 2009 06:23:34 -0800 

First of all thanks for your reply!
I was wondering about that, also if I don't know openldap, it's my first
meet whit Directory server and ldap, so my questions are very dummy
question.

Just thinking of what you said me, I modified my server.xml so:

  <ldapService id="ldapService"
              ipPort="10389"
              allowAnonymousAccess="false"
              saslHost="ldap.example.com"
              saslPrincipal="ldap/[email protected]"
              searchBaseDn="ou=system"
              maxTimeLimit="15000"
              maxSizeLimit="1000">

and created my tree dc=example,dc=com in ou=system, so I have a user with
following dn: uid=adminrosa,dc=example,dc=com,ou=system

So, I could try something as "env.put(Context.SECURITY_PRINCIPAL,
"uid=adminrosa,dc=example,dc=com")" and it would look for an entry
"uid=adminrosa,dc=example,dc=com,ou=system", that is my principal + <my
baseSearchDN> as defined in the server.xml

It still not working, where is my dummy error? :(


Emmanuel Lecharny wrote:
> 
> The way it's implemented is that it looks up for a password of an
> entry using this search filter :
> "uid=<your user>,<your baseSearchDN>"
> 
> so in your case, for a user named 'admin', and if your search base DN
> is "dc=example, dc=com", it's searching for the password of an entry
> which DN is "uid=admin,dc=example,dc=com".
> 
> If your user name is a DN, then it will lookup for an entry like
> "uid=uid=admin, dc=example,dc=com,dc=example,dc=com"...
> 
> Not likely to find the password :)
> 
> Now, it may be a bit too rigid, and we can discuss a better way to
> handle such mechanisms, but that's another story. FYI, OpenLDAP uses
> some configuration to manage SASL auth :
> 
> "Now, you should set the sasl-regexp directive in the slapd.conf file
> before starting the slapd daemon and testing the authentication. My
> slapd.conf file resides at /usr/local/etc/openldap:
> 
> sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth
> uid=$1,ou=People,o=Ever
> 
> This parameter is in the format of:
> 
> uid=<username>,cn=<realm>,cn=<mech>,cn=auth
> 
> The username is taken from sasl and inserted into the ldap search
> string in the place of $1"
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
> 
> 

-- 
View this message in context: 
http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22079785.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.

Reply via email to