Hi, Hans Moser <[EMAIL PROTECTED]> writes:
> Hi! > > 1. Chapter - "as is" > 2. Chapter "ldapdb" > = There is an ldap-user cn=human,ou=mgr,o=foo, who should do the > authtifications. The real users are in ou=humans,o=foo. > = TLS works with ldap. I could ldapsearch with "-Z -x" > - I changed imapd.conf to > # sasl_pwcheck_method: saslauthd > sasl_pwcheck_method: auxprob > sasl_auxprob_plugin: ldapdb > sasl_ldapdb_uir: ldap://sartre.ador.no > sasl_ldapdb_id: cn=human,ou=mgr,o=foo > sasl_ldapdb_pw: secret > sasl_ldapdb_mech: PLAIN > # sasl_ldapdb_mech: DIGEST-MD5 > sasl_ldapdb_starttls: Demand > sasl_ldap_search_base: ou=humans,o=foo > sasl_ldap_search_filter: uid=%U > - I added authzTo attribute to cn=human,ou=mgr,o=foo in my ldap > - I added authzTo-Policy in slapd.conf to map cn=human,... in > ou=humans,o=foo. > - I stuck. I don't see anything going on, when I try to log in. Although this is more an openldap issue, you should add sasl-regex to slapd.conf in order to map the sasl authentication string to an entry. > 3. Chapter "The questions" > a) How to test with ldapsearch, what cyrus with ldapdb does? ldapwhoami > b) Is sasl_ldapdb_id a SASL-id (cn=.*,cn=auth) or a ldap-id? You may consider it a sasl uid. > c) sasl_ldapdb_mech - If possible, all mech should be PLAIN or with > hashed passwords. If you are referring to the entries userPassword attribute value, this could be hashed if you only require PLAIN mechanism, but note that openldap will refuse a PLAIN mechanism if the data transport is not secured,i.e. either starttls or ldapi. > d) How to see what's going on? Logging? yes, define an appropriate loglevel in slapd.conf, 384 (128+256) for example. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
