Hello All,
Thks to all for helping me out. i hope now the destination is not too far
as i achieved the SASL but it is storing using sasldb.
However, i want it to store information in ldap direcotry.
I've installed the corresponding package:
cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb
------------------------------------------------------
1> saslpasswd2 -c sasluser14
2> sasldblistusers2
3> service ldap stop
4> vi etc/openldap/slapd.conf
sasl-auxprops sasldb
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
- Give proper ACL to sasluser14
5> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: sasldb
#auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasldb_path: /etc/sasldb2
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif
# TEST Account for SASL:
dn: uid=sasluser14,ou=System,o=xyz
uid: sasluser14
ou: System
description: Special account for SASL Testing
userPassword: sasluser14
objectClass: account
objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b
'uid=sasluser7,ou=system,o=xyz'
But now the problem is - it is storing the users in sasldb. and we want to
use ldap directory.
Can any one please suggest - What changes i need to make to achieve it?
Thks a lot for your support.
Regards,
Gaurav Gugnani
On Mon, Feb 6, 2012 at 9:17 PM, Dan White <[email protected]> wrote:
> On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
>
>> Hello All,
>>
>> Thks for helping me out, however i'm still stuck in middle of it and the
>> issue has not yet resolved.
>>
>
> You should run your server in debug mode to determine what's going awry.
>
> *Error:*
>>
>> /u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -Y DIGEST-MD5
>> -U
>> sasluser7 -b 'o=xyz'
>> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>> additional info: SASL(-13): user not found: no secret in database
>>
>> I checked for ACL and also now i'm using authz with following lines:
>>
>> authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth uid=$1,ou=System,o=xyz
>>
>> access to attrs="userpassword"
>> by self write
>> by anonymous auth
>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>> access to dn.base="o=xyz"
>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>> by users read
>> access to dn.subtree="ou=Subscribers,o=**xyz"
>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>> access to *
>> by self write
>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>
>> I hope it is fine.
>>
>
> I have 'by anonymous auth' on the following:
>
> access to dn.base="ou=people,dc=example,**dc=net"
> access to attrs=userPassword
> access to attrs=authzTo
> access to attrs=objectClass
> access to attrs=entry,uidNumber
>
> You could determine if that's sufficient for you piecemeal wise but, again,
> use debug output to figure it out. For example:
>
> slapd -d -1 -h ldap:/// -u openldap -g openldap
>
> See the manpage for slapd for details.
>
>
> Moreover, we can say that the user is created:
>> /u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -W -D
>> 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=**xyz'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=sasluser7,ou=System,o=**xyz> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # sasluser7, System, xyz
>> dn: uid=sasluser7,ou=System,o=xyz
>> uid: sasluser7
>> ou: System
>> description: Special account for SASL Testing
>> userPassword:: c2FzbVHzZXI3
>>
>
> Be aware that the above is a simple uuencoding of your password. It should
> now be considered publicly known.
>
>
> objectClass: account
>> objectClass: simpleSecurityObject
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> Also, i would like to highlight one thing:
>>
>> That when i check for sasl dblist users - it thorws me an error. Can that
>> be an issue point?
>> /u01/app/openldap/product/2.4.**26/etc/openldap>**sasldblistusers
>> -bash: sasldblistusers: command not found
>>
>
> Any of the cyrus sasl* commands are most likely doing the wrong thing,
> which default to using the sasldb auxprop store (which uses /etc/sasldb2)
> rather that slapd or ldapdb. I would not use them at this point as they're
> bound to confuse the matter.
>
> --
> Dan White
>
