LDAP+SASL

[Norberto Bensa]

On Fri, Feb 20, 2009 at 12:30 PM, Michael Peek <peek at tiem.utk.edu> wrote:
> The only information missing from the above (I think) is the
> userPassword entries:
> dn: cn=admin,dc=nimbios,dc=org has userPassword: {SSHA}... and
> dn: cn=admin,ou=people,dc=nimbios,dc=org has userPassword: {CLEARTEXT}...

Nothing is missing. You bind as admin at castor, not as cn=admin,dc=...
And you have:

  access to attrs=userPassword,shadowLastChange
         by dn="cn=admin,dc=nimbios,dc=org" write
         by anonymous auth
         by self write
         by * none


So nothing is missing. You explicitly asked access to userPassword to
be available only to self and cn=admin,dc=...   Everyone else must
authenticate.


> On the Mac, I have tried telling it to bind with the following dn's:
>
> cn=admin,dc=nimbios,dc=org
> cn=admin,ou=people,dc=nimbios,dc=org
> cn=admin,cn=CRAM-MD5,cn=auth
> uid=admin,dc=nimbios,dc=org
> uid=admin,ou=people,dc=nimbios,dc=org
> uid=admin,cn=CRAM-MD5,cn=auth
>
> I'm not really sure which one I'm /supposed/ to use, these are just the
> variants that I've thought to try.

Hmmm... From slapd.conf, you could try: "cn=admin,dc=nimbios,dc=org" ;-)

*But* (unless I'm overlooking something) you have no authz-regexp
returning cn=admin....

Something like this should work:

authz-regexp
  uid=([^,]*),cn=[^,]*,cn=auth
  cn=$1,dc=nimbios.dc=org


Regards,
Norberto