Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using. Thanks for your response, It helps me a lot.
-----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Tuesday, August 10, 2010 2:26 PM To: LI Ji D Cc: Dan White; Dieter Kluenter; [email protected] Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D wrote: > Hi, > > I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run > /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. > Gets the response as below: > > SASL/DIGEST-MD5 authentication started > > Please enter your password: > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > additional info: SASL(0): successful result > > that's because slapd program is stopped for some reason, here is the log of slapd: > <==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com > > slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com > > Segmentation fault Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd. In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety. > -----Original Message----- > From: Howard Chu [mailto:[email protected]] > Sent: Tuesday, August 10, 2010 1:53 PM > To: Dan White > Cc: LI Ji D; Dieter Kluenter; [email protected] > Subject: Re: PROBLEM: can't use SASL to authentication openldap client > > Dan White wrote: > >> On 09/08/10 14:52 -0700, Howard Chu wrote: > >> > Dan White wrote: > >> >> On 09/08/10 16:56 +0800, LI Ji D wrote: > >> >>> Hi, > >> >>> My problem is that I expect slapd to authenticate with the password > stored in sasldb. But it's not, it uses the password stored in userpassword > attribute of this user which is a item of openldap. > >> >>> So I want to know, how can slapd use password stored in sasldb to do the > sasl authentication. > >> >> > >> >> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb > >> >> did not provide the expected response. Regardless of whether I set it to > >> >> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the > >> >> internal slapd plugin. > >> >> > >> >> I recommend you file a bug report. > >> > > >> > File the bug with the correct people. OpenLDAP doesn't do anything in > >> > particular with SASL configuration. If you can't get the desired behavior > >> > by setting the SASL config file, then file a bug against Cyrus SASL. > >> > >> It does! for auxprop_plugin, and auxprop_plugin only. After some digging I > >> found the insertion of a SASL_CB_GETOPT function which replaces whatever > >> auxprop_plugin value is found in the sasl config file with the > >> sasl-auxprops openldap config option, or defaults to 'slapd' if no > >> sasl-auxprops is defined. > >> > >> It's perfectly documented in the slapd.conf man page... just never occurred > >> to me to look. > >> > >> LI, > >> > >> setting: > >> > >> sasl-auxprops sasldb > >> > >> within the openldap slapd.conf works for me. > > My mistake. This was added last year. > > http://www.openldap.org/its/index.cgi/Software Bugs?id=6147 > > -- > > -- Howard Chu > > CTO, Symas Corp. http://www.symas.com > > Director, Highland Sun http://highlandsun.com/hyc/ > > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
