[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP authenticaton against PAM how-to

To: openldap-software@openldap.org
Subject: LDAP authenticaton against PAM how-to
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Fri, 9 Feb 2007 06:32:10 +0100
User-agent: MacSOUP/2.7 (unregistered)

Hi

I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of
the documentation is really horrible. Until someone eventually fix that,
here is for future reference what I had to do (the NetBSD system parts
are out of topic, but I added them for the sake of completeness)

Configuration:
NetBSD-3.1
OpenLDAP-2.3.27 from NetBSD's pkgsrc
Cyrus-SASL-2.1.22 from NetBSD's pkgsrc

1) Install the software
1.1 Fix pkgsrc a bug
In /usr/pkgsrc/databases/openlda-server/options.mk,
change --with-spasswd into --enable-spasswd

1.2 Install the following packages:
Set build options for pkgsrc: in /etc/mk.conf:
PKG_RCD_SCRIPTS=YES
PKG_OPTIONS.openldap-client+=sasl
PKG_OPTIONS.openldap-server+=sasl
PKG_OPTIONS.cyrus-saslauthd+=pam

1.3 Install the following packages:
database/openldap
security/cyrus-sasl
security/saslauthd
security/cy2-plain

1.4 Fix another pkgsrc bug:
cd /usr/pkgsrc/database/openldap-server/
cd work/openldap-2.3.27/libraries/libldap_r
make && make install

2) Configure PAM
Create /etc/pam.ldap and populate it with your PAM configuration

3) Configure SASL
3.1 Enable saslauthd, by adding this to /etc/rc.conf:
saslauthd=YES           saslauthd_flags="-a pam

3.2 Then start it:
/etc/rc.d/saslauthd start

3.3 Configure the SASL library for slapd, by creating
/usr/pkg/lib/sasl2/slapd.conf, with the following content:
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

3.4 Check SASL functionnality
testsaslauthd -s ldap -u login -p password
Make sure a wrong password really fails...

4) Configure OpenLDAP (the nasty part)
4.1 Enable PLAIN mechanism (disabled by default) in
/usr/pkg/etc/openldap/slapd.conf, by adding:
sasl-secprops none

You don't need sasl-regex or authz-regex.

4.2 Enable TLS:
Generate TLS certificate, and add certificate, key and CA to 
/usr/pkg/etc/openldap/slapd.conf:
TLSCertificateFile      /etc/openssl/certs/botin.crt
TLSCertificateKeyFile   /etc/openssl/private/botin.key
TLSCACertificateFile    /etc/openssl/certs/ca.crt

4.3 Populate the directory, make sure that user
cn=jdoe,dc=example,dc=net has this:
userPassword: {SASL}jdoe

4.4 Enable slapd, by adding to /etc/rc.conf:
slapd=YES

4.5 Start slapd:
/etc/rc.d/slapd start

4.6 Check that slapd will accept PLAIN SASL authentication:
ldapsearch -x -b "" -s base supportedSASLMechanisms
You should get:
supportedSASLMechanisms: PLAIN

4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf:
BASE    dc=example,dc=net
TLS_CACERT      /etc/openssl/certs/ca.crt
SASL_MECH       PLAIN
SASL_SECPROPS   none

4.8 Check that the whole thing works:
ldapsearch -x -WZD cn=jdoe,dc=example,dc=net 
Don't forget to make sure a wrong password fails...

NB1: saslauthd logs in /var/log/authlog, the error messages are useful

NB2: slapd logs in /var/log/slapd.conf, the error messages are usually
meaningless, especially for ACL and SASL troubles.

NB3: Make sure your DN is right. I spent a lot of time running tests
with an invalid DN (ie: dc=jdoe instead of cn=jdoe)

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: LDAP authenticaton against PAM how-to
  - From: Howard Chu <hyc@symas.com>
- Re: LDAP authenticaton against PAM how-to
  - From: Tony Earnshaw <tonni@hetnet.nl>
- Re: LDAP authenticaton against PAM how-to
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: RE: Schema Replication
Next by Date: Re: Schema Replication
Index(es):
- Chronological
- Thread