From: Dieter Kluenter (no email)
Date: Thu Aug 04 2005 - 16:36:41 EDT
Hi,
Hans Moser <> writes:
> Igor Brezac schrieb am 04.08.2005 14:11:
>
> Thank you!
>
>> You can do:
>> ldapwhoami -U sasl_ldapdb_id -X u:imapd_username -Y sasl_ldapdb_mech
>> \
>> -H sasl_ldapdb_uri # add -ZZ if you require starttls
> with -ZZ
> Output:
> SASL/PLAIN authentication started
> Please enter password: <sasl_ldapdb_id's password>
> SASL username: u:ck
> SASL SSF: 0
> dn:cn=human,ou=mgr,o=foo
>
> Shouldn't the dn be the dn of imapd_username?
>
>> then
>> ldapsearch -U sasl_ldapdb_id -X u:imapd_username -Y sasl_ldapdb_mech
>> \
>> -H sasl_ldapdb_uri -b dn_from_ldapwhoami -s base \
>> 'objectclass=*' userPassword
> This showes the passwords of entries under ou=humans,o=foo and not
> only of imapd_user.
>
> So I think, some of the authzTo mapping is currently defective.
>
>> sasl_ldapdb_id is not a dn.
> ... because it ends up in something like uid=sasl_ldapdb_id,.*,cn=auth!?
The sasl authentication string always presents
uid=<someID>,cn=<REALM>,cn=<MECH>,cn=auth,
while realm is only present if defined.
This sasl string has to be mapped to an entry, see slapd.conf(5).
-Dieter
-- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
|
|
|