Dan
many many thanks for I succeed, at least partially.
Firstly I added slapd.conf to the sasl default dir with the (unique) parameter:
sasl_mech: xmech
Then I stopped and restarted slapd
I had some trouble in understanding what is my ldap URI of the ldapsearch command and eventually I skip it by truning the command into:
ldapsearch -x -h localhost -s "base" -b "" supportedSASLMechanisms
response was:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: XMECH
dn:
supportedSASLMechanisms: XMECH
# search result
search: 2
result: 0 Success
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# numEntries: 1
moreover:
if I omitted -x (that is to say ldapsearch --h localhost -s "base" -b "" supportedSASLMechanisms)
my xmech is got called by the ldapsearch command, as you said , tht proven by the following functions recording themselves into xmech log:
20080820155638 xmech_client_plug_init
20080820155638 xmech_client_mech_new
20080820155638 xmech_client_mech_step
20080820155638 xmech_client_mech_step
20080820155638 xmech_client_dispose
20080820155638 xmech_client_mech_new
20080820155638 xmech_client_mech_step
20080820155638 xmech_client_mech_step
20080820155638 xmech_client_dispose
I just notice that, compared with xmech functions called by sample client, no server functions (xmech_server_mech_new xmech_server_mech_step xmech_server_mech_step) are triggered .
What is missing is:
1) my JXplorer OpenLDAP client authentication doesn't call the xmech (the log remains untouched)
2) the server functions are not called
Dan I want to thank you for your precious indications.
Does anybody know what I'm missing to have JXplorer behave as ldapsearch, that is to say to authenticate people through the xmech?
Many Thanks
Francesco
2008/8/20 Dan White <dwhite@xxxxxxx>
Francesco Grossi wrote:You can restrict which mechanisms are offered by configuring sasl_mech in your sasl slapd.conf (not to be confused with the OpenLDAP slapd.conf configuration file).
I've set up my prototype mechanism xmech (by writing xmech.c and
xmech_init.c and creating libxmech.so & libxmech.la) and call it by the
sample SASL Cyrus client and server so that client.c and server.c seem
working fine (referencing -m x) when used alone: I've
logged callback functions of my xmech.c and the following is recorded during
login phase:
xmech_client_plug_init
xmech_client_mech_new
xmech_client_mech_step
xmech_server_mech_new
xmech_server_mech_step
xmech_server_mech_step.
here's my problem:
How can I instruct OpenLpap to call SASL and my xmech mechanism. When I log
into OpenLDAP the native authentication takes place. How can I make OpenLDAP
route authentication towards SALS (and SASL towards xmech)?
I've benn through some web pages and got out something about slapd.conf and
its sasl parameters, sasl-regexp in particular.
The default location for that file is in /usr/lib/sasl2/. It should be the location that was specified with the --with-configdir configure option when you compiled sasl.
The following would restrict your offered mechanims to xmech:
sasl_mech: xmech
However, if not specified, it should offer all installed mechanisms. I'd recommend running 'pluginviewer' on the server and client systems to verify the mechanism got installed. Also, you can do:
ldapsearch -x -H ldap://ldap.example.com -LLL -s "base" -b "" supportedSASLMechanisms
to find out if the server is offering the mechanism.
You can force ldapsearch to use a specific mechanism with the '-Y' option, or you can specify it in ~/.ldaprc (see man ldap.conf):
SASL_MECH xmech
Do not specify '-x' in your ldapsearch to force it to use SASL.
- Dan