Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf
file for settings) to tell the client how to authenticate. In this case, it
tells the client to use DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against
the information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and
returns the results to the client.
So SLAPD just compares the password received form client and the one stored in
sasldb2, how could it relate to the one stored in ldap like "userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
-----Original Message-----
From: openldap-technical-bounces+ji.d.li=alcatel-lucent....@openldap.org
[mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent....@openldap.org] On
Behalf Of Dieter Kluenter
Sent: Wednesday, June 23, 2010 3:33 AM
To: [email protected]
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <[email protected]> writes:
> Hi,
>
> I tried again with following steps:
>
> dn: uid=admin,ou=People,o=Ever
>
> objectClass: top
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: inetOrgPerson
>
> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
>
> 4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
>
> 5. ./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is
the password hash has a length of 32bit,
SASL requires plain text password in order to create a challange, a
challange based on a 32bit string is different from a challange based
on a plain text password string.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
