Thanks, Howard; I think I'm beginning to understand this. So, the AUTHENTICATION piece is done by SASL using digest_md5, an 'external' connection to TLS, etc. But the AUTHORIZATION piece is handled by the rules defined in the access control policy section of slapd.conf, right?
Thanks tl -----Original Message----- From: Howard Chu [mailto:[EMAIL PROTECTED] Sent: Monday, April 02, 2007 3:36 PM To: Lemons, Terry Cc: [EMAIL PROTECTED]; openldap-software@openldap.org Subject: Re: DIGEST-MD5 returns 'user not found' [EMAIL PROTECTED] wrote: > Hi Howard > >> The SASL library tries all available information sources. If there was > a >> "root" user record in your sasldb2 file it would have been used. Since >> your sasldblistusers2 output shows "[EMAIL PROTECTED]" I'd say you have the >> wrong realm info in your database, as that doesn't match either "root" >> or "[EMAIL PROTECTED]". > > And that was the problem. When I added "[EMAIL PROTECTED]" to the sasl > database, ldapsearch worked! MANY thanks for this! > > It's interesting (at least, to me) to note that I didn't need any of the > authentication identity mapping entries (as described in section 11.2.4 > of the "OpenLDAP Software 2.3 Administrator's Guide" to make this work > (not even the "password-hash {cleartext}" entry that some resources said > to add). Those config items are only needed if you intend to use entries in LDAP for the SASL authentication info, instead of sasldb. Generally, that is the best thing to do. > So what gives this SASL mechanism the authority to perform tasks via > LDAP? Authentication and authorization are two separate things. When you configure your server to support SASL, that means you want to trust SASL to authenticate users. Regardless of authentication mechanism, ACLs are used to grant authority to particular users to perform various tasks. > Thanks! > tl -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/