Hi Gaurav
you show it yourself in the log output, that SASL is working OK with
your LDAP Server:
1. The conversion from -U serviceusr to the DN
uid=serviceusr,ou=system,o=bcs is OK,
2. (I presume) that the password of this DN was entered correctly with
the ldapsearch command
3. according to your log output, the connection was established
suomi
On 02/13/2012 12:10 PM, Gaurav Gugnani wrote:
Hello Dan,
Thks a lot for making things worked.
I'm jotting down the steps which i executed to make SASL work:
*Steps to make SASL configuration working:*
---------------------------------------------------------------------
1> Install the following packages:
- cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm
- cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
2> Create sasl2/slapd.conf
vi /usr/lib64/sasl2/slapd.conf
[root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
3> Modify $LDAP_HOME/etc/openladp/slapd.conf
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
#ACL
access to attrs="userpassword"
by anonymous auth
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to dn.base="o=xyz"
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=serviceusr,ou=System,o=xyz" read
by dn="uid=monitorusr,ou=System,o=xyz" read
by dn="uid=replicator,ou=System,o=xyz" read
by users read
access to dn.subtree="ou=Subscribers,o=xyz"
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=serviceusr,ou=System,o=xyz" write
by dn="uid=monitorusr,ou=System,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to dn.subtree="ou=System,o=xyz"
by anonymous auth
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
access to *
by self write
by group="cn=LDAP Admins,ou=Groups,o=xyz" write
by dn="uid=replicator,ou=System,o=xyz" read
On execution of command:
ldapsearch -Y DIGEST-MD5 -U serviceusr -b
'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'
Its clearly displaying in the log:
.....
*conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128
do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs"
sasl_ssf=128*
.....
Now, i wanted to confirm is these are the only steps Or Am i missing
something?
How do i confirm that SASL has been enabled and its working fine?
Plz provide some input on this.
Thanks and Regards,
Gaurav Gugnani
On Thu, Feb 9, 2012 at 1:48 AM, Dan White <[email protected]
<mailto:[email protected]>> wrote:
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote:
Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
As i gave:
access to dn.subtree="ou=System,o=xyz"
by dn="uid=sasluser21,ou=System,__o=xyz" read
by anonymous auth
*So, will giving anonymous privilege any issue? *
I read following:
Next is by anonymous auth. This phrase grants an anonymous user
(one who
has not yet authenticated) permission to authenticate using a
password.
More accurately, it indicates that when a user submits a request for
authentication, the directory server is allowed to perform an
authentication operation (which amounts to comparing the
submitted password
with the value in the userPassword attribute for the
corresponding user's
entry).
What is its impact, Please put some light on it?
Chapter 8 of the OpenLDAP Administrator's Guide has more explanation.
--
Dan White
