On Mon, Dec 17, 2012 at 11:08:11AM -0600, Dan White wrote: > You should not use the ldapdb auxprop plugin within slapd's sasl config. > You should be using 'slapd' instead, which is the default (it's an internal > auxprop plugin distributed with OpenLDAP). > > If you are running version 2.4.17 or newer, the 'auxprop_plugin' option is > ignored anyway
Right, I removed it, but it should not change anything. And indeed it does not change anything. > ># su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \ > > -Y PLAIN -H ldaps://ldap.example.net' > That command doesn't make sense. '-U uid=someone,dc=example,dc=net' > should be '-U someone' instead, I trired that and got the same result. > and you should create new authz-regexp rules to map a > sasl PLAIN identity of 'someone' to uid=someone,dc=example,dc=net. I did this. With debug acl level, I can see that the uid=someone,dc=example,dc=net is tired for auth, but it fails. > You could also do: > su -m someone -c 'ldapwhoami -Y EXTERNAL -H ldapi:///' > with an appropriately written authz-regexp rule. 'someone' would need unix > file permissions to access your ldapi unix socket. That works, but what I am looking for is to get SASL PLAIN working over the network with TLS. I want to use authzid. -- Emmanuel Dreyfus [email protected]
