On Wed, 2 Jul 2003, Nikola Milutinovic wrote: > I could in error, so I'd like to check it out with the list. > > SHORT FORM > --------------------- > Can SASL mechanism PLAIN authenticate against a realm?
Short Answer: Yes. If you're using sasldb2 directly. > LONG FORM ------------------- > I'm trying to setup Open LDAP 2.1.21 as a ChRoot-ed server. One problem > that popped up was authentication. Since CRAM-MD5 and DIGEST-MD5 rely on > SASLDB, for those, I would be forced to have two copies of sasldb2 on my > server - not a good idea in my opinion (I can make a hard link and solve > the problem, but still I don't like the idea). Kerberos is still not > around the corner for me (I will have it eventually, but not right now). > > So, I thought to myself, why not SASL Authentication Daemon which would > lean on the main (and only) SASLDB? This is perhaps the first reasonable use of the sasldb saslauthd module I've heard of, but I still would recommend against it. > I've setup saslauthd and SLapD tries to authenticate against it. > "testsaslauthd" works OK. > > The problem is in the realm parameter. From the logs I can see that > SLapD sends "realm" as empty string, although I have specified the realm > on the command line (the tool in this case was "ldapadd"). What is more > confusing, running SLapD in full debug mode, I can see that the routines > are correctly assigning the realm, but no realm is passed to the > saslauthd. Hmmm, yeah, we don't seem to be parsing the realm out of the username, and instead are just passing the server-wide realm to the saslauthd checkpass method. > If this is the case, what can I do? Create entries without a realm in > sasldb2? Can I set the realm for saslauthd on the command line? It looks like theres nothing that can be done to fit this configuration without code changes to _sasl_checkpass in server.c (or now that I look at it closer, saslauthd_verify_password in checkpw.c). Of course, some of the saslauthd modules are probably looking for the realm in [EMAIL PROTECTED] format instead. They probably want to be fixed if thats the case. I suppose you can make use of a mysql database and accomplish roughly the same thing, only with the main database outside of the chroot. This would also let you use DIGEST-MD5 and CRAM-MD5. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
