directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: ApacheDs - DIGEST-MD5
Date Wed, 18 Feb 2009 13:55:57 GMT
The way it's implemented is that it looks up for a password of an
entry using this search filter :
"uid=<your user>,<your baseSearchDN>"

so in your case, for a user named 'admin', and if your search base DN
is "dc=example, dc=com", it's searching for the password of an entry
which DN is "uid=admin,dc=example,dc=com".

If your user name is a DN, then it will lookup for an entry like
"uid=uid=admin, dc=example,dc=com,dc=example,dc=com"...

Not likely to find the password :)

Now, it may be a bit too rigid, and we can discuss a better way to
handle such mechanisms, but that's another story. FYI, OpenLDAP uses
some configuration to manage SASL auth :

"Now, you should set the sasl-regexp directive in the slapd.conf file
before starting the slapd daemon and testing the authentication. My
slapd.conf file resides at /usr/local/etc/openldap:

sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever

This parameter is in the format of:


The username is taken from sasl and inserted into the ldap search
string in the place of $1"

Emmanuel L├ęcharny

View raw message