Using SASL with the tcllib ldap client
The current SASL support for the ldap client has been tested with openLDAP 2.3 and CyrusSASL,
but is considered experimental.
The OpenLDAP slapd.conf file used for testing had the following entries to map the
SASL auth information, the actual SASL passwords were stored in the sasldb with the help
of saslpasswd2:
# SASL Mappings
#
sasl-host localhost
sasl-realm ldap
authz-regexp
uid=([^,]+),(cn=[^,]+,)?cn=digest-md5,cn=auth
ldap:///ou=SomeOU,dc=tcllib,dc=tcltk??one?(uid=$i)
authz-regexp
uid=([^,]+),(cn=[^,]+,)?cn=cram-md5,cn=auth
ldap:///ou=SomeOU,dc=tcllib,dc=tcltk??one?(uid=$i)
A rather typical user of that server would be for example:
cn=James Bond,ou=SomeOU,dc=tcllib,dc=tcltk
objectClass inetOrgPerson
cn James Bond
sn Bond
uid u007
Now you can SASL auth with the tcllib ldap client with the following:
package require ldap 1.6
set handle [ldap::connect localhost]
set auth [ldap::bindSASL u007 "mollypenny"]
if {$auth} {
puts "Succesfully bound with SASL"
} else {
puts "SASL bind failed"
}
To find out your real authzId, you can then use the ldap::whoami command.
puts "auhtzId: [ldap::whoami $handle]"
