1Using SASL with the tcllib ldap client
2
3The current SASL support for the ldap client has been tested with openLDAP 2.3 and CyrusSASL,
4but is considered experimental.
5
6The OpenLDAP slapd.conf file used for testing had the following entries to map the 
7SASL auth information, the actual SASL passwords were stored in the sasldb with the help
8of saslpasswd2:
9
10     # SASL Mappings
11     #
12
13     sasl-host localhost
14     sasl-realm ldap
15     authz-regexp 
16         uid=([^,]+),(cn=[^,]+,)?cn=digest-md5,cn=auth
17         ldap:///ou=SomeOU,dc=tcllib,dc=tcltk??one?(uid=$i)
18
19     authz-regexp
20         uid=([^,]+),(cn=[^,]+,)?cn=cram-md5,cn=auth
21         ldap:///ou=SomeOU,dc=tcllib,dc=tcltk??one?(uid=$i)
22
23
24A rather typical user of that server would be for example:
25 
26     cn=James Bond,ou=SomeOU,dc=tcllib,dc=tcltk
27     objectClass inetOrgPerson 
28     cn James Bond
29     sn Bond 
30     uid u007
31     
32Now you can SASL auth with the tcllib ldap client with the following:
33
34   package require ldap 1.6
35   
36   set handle [ldap::connect localhost]
37   set auth [ldap::bindSASL u007 "mollypenny"]
38   if {$auth} {
39       puts "Succesfully bound with SASL"
40   } else {
41       puts "SASL bind failed"
42   }
43   
44To find out your real authzId, you can then use the ldap::whoami command.
45
46   puts "auhtzId: [ldap::whoami $handle]"
47   
48   
49