LDAP+SASL

[Norberto Bensa]

On Fri, Feb 20, 2009 at 5:23 PM, Michael Peek <peek at tiem.utk.edu> wrote:
> My current authz-* settings:
> ------------------------------------------------------------------------------
> authz-regexp
>  uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth
>  cn=$1,ou=People,dc=nimbios,dc=org

> authz-regexp
>  uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth
>  cn=$1,dc=nimbios,dc=org

> authz-regexp
>  uid=([^,]*),cn=[^,]*,cn=auth
>  cn=$1,ou=People,dc=nimbios,dc=org

> authz-regexp
>  uid=([^,]*),cn=[^,]*,cn=auth
>  cn=$1,dc=nimbios,dc=org

I just spotted a bug in what I said :-)

Your second and forth rules will never match. It's pretty obvious now.
Take a careful look at your 1st and 2nd rules, and then to your 3rd
and 4th rule and you'll understand why.


> Attempt to bind as admin at castor:

This is uid=admin at castor,cn=CRAM-MD5,cn=auth and then -from your
rules- cn=admin at castor,ou=People,dc=nimbios,dc=org

If you have no admin at castor in ou=People, it will not work. Also, if
you store your secrets as SSHA (or some other hashed procedure)
CRAM-MD5, DIGEST-MD5 will not work either.

Now (from your logs), your Mac seems to try again with
uid=admin,cn=CRAM-MD5,cn=auth (cn=admin,ou=People,dc=nimbios,dc=org)
but your userPassword for that entry is hashed with SSHA. You need to
change it to CLEARTEXT if you want CRAM/DIGEST.

Once you fix these problems, repeat your ldapsearch like this:

  $ ldapsearch -U admin -Y CRAM-MD5 -W

from your Linux box and your Mac (remember about the matching issue of
your authz-regexp rules. Until you fix them cn=admin is the one in
ou=People)


> I really, really, really appreciate your help!

I starting to think that I don't know enough LDAP as I used to think.
That's scary considering the setup I made at work :-/


Regards,
Norberto