Hello Dan,
Thks a lot for making things worked.
I'm jotting down the steps which i executed to make SASL work:
*Steps to make SASL configuration working:*
---------------------------------------------------------------------
1> Install the following packages:
- cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm
- cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
2> Create sasl2/slapd.conf
vi /usr/lib64/sasl2/slapd.conf
[root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
3> Modify $LDAP_HOME/etc/openladp/slapd.conf
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
#ACL
access to attrs="userpassword"
by anonymous auth
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to dn.base="o=xyz"
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=serviceusr,ou=System,o=xyz" read
by dn="uid=monitorusr,ou=System,o=xyz" read
by dn="uid=replicator,ou=System,o=xyz" read
by users read
access to dn.subtree="ou=Subscribers,o=xyz"
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=serviceusr,ou=System,o=xyz" write
by dn="uid=monitorusr,ou=System,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to dn.subtree="ou=System,o=xyz"
by anonymous auth
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to *
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
On execution of command:
ldapsearch -Y DIGEST-MD5 -U serviceusr -b
'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'
Its clearly displaying in the log:
.....
*conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs"
sasl_ssf=128*
.....
Now, i wanted to confirm is these are the only steps Or Am i missing
something?
How do i confirm that SASL has been enabled and its working fine?
Plz provide some input on this.
Thanks and Regards,
Gaurav Gugnani
On Thu, Feb 9, 2012 at 1:48 AM, Dan White <[email protected]> wrote:
> On 02/09/12 00:13 +0530, Gaurav Gugnani wrote:
>
>> Thks Dan, it worked.
>>
>> Now hopefully last query from my side (sorry to bother you so much)
>>
>>> As i gave:
>>>>
>>> access to dn.subtree="ou=System,o=xyz"
>> by dn="uid=sasluser21,ou=System,**o=xyz" read
>> by anonymous auth
>>
>> *So, will giving anonymous privilege any issue? *
>>
>> I read following:
>> Next is by anonymous auth. This phrase grants an anonymous user (one who
>> has not yet authenticated) permission to authenticate using a password.
>> More accurately, it indicates that when a user submits a request for
>> authentication, the directory server is allowed to perform an
>> authentication operation (which amounts to comparing the submitted
>> password
>> with the value in the userPassword attribute for the corresponding user's
>> entry).
>>
>> What is its impact, Please put some light on it?
>>
>
> Chapter 8 of the OpenLDAP Administrator's Guide has more explanation.
>
> --
> Dan White
>
