[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL



Hello,

I am playing with alot of different tools.  I started by trying to get
certificates into my LDAP server.  I installed LDAP with cyrus-sasl.
This seems to be very nice.  I didn't go through having the TLS.

Before I even started messing with the authentication parts, I was
unable to get userCertificates into the system.

$ ldapmodify -x -D cn=manager,dc=usa,dc=alcatel,dc=com -W -f
/tmp/wtupd.ldif
Enter LDAP Password:
ldapmodify: invalid format (line 4) entry: "uid=wtruitt, dc=usa,
dc=alcatel, dc=com"
ldif_record() = 89
$ cat /tmp/wtupd.ldif
dn: uid=wtruitt, dc=usa, dc=alcatel, dc=com
changetype: modify
add: userCertificate
userCertificate:< file://tmp/out.cert
-

$

I have tried several different syntaxes for that line.

My second question, is using the SASL.  I have in my slapd.conf:
# Near the top:
# Define global ACLs to disable default read access.
access to *
 by * read

# in my ldbm section at the bottom
access to *
  by self write
  by dn="cn=Manager,dc=usa,dc=alcatel,dc=com" write
  by * read

I have used saslpasswd to add passwords for both manager and wtruitt.
$ sasldblistusers
user: wtruitt realm: sun1464.ssd.usa.alcatel.com mech: PLAIN
user: wtruitt realm: sun1464.ssd.usa.alcatel.com mech: CRAM-MD5
user: manager realm: sun1464.ssd.usa.alcatel.com mech: PLAIN
user: manager realm: sun1464.ssd.usa.alcatel.com mech: CRAM-MD5
user: uid=wtruitt,dc=usa,dc=alcatel,dc=com realm:
sun1464.ssd.usa.alcatel.com mech: DIGEST-MD5
user: wtruitt realm: sun1464.ssd.usa.alcatel.com mech: DIGEST-MD5
user: manager realm: sun1464.ssd.usa.alcatel.com mech: DIGEST-MD5
user: uid=wtruitt,dc=usa,dc=alcatel,dc=com realm:
sun1464.ssd.usa.alcatel.com mech: PLAIN
user: uid=wtruitt,dc=usa,dc=alcatel,dc=com realm:
sun1464.ssd.usa.alcatel.com mech: CRAM-MD5
$ ldapmodify -U manager -D 'cn=manager,dc=usa,dc=alcatel,dc=com' -W -f
/tmp/wtupd.ldif
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
SASL username: manager
SASL realm: sun1464.ssd.usa.alcatel.com
SASL SSF: 128
SASL installing layers
modifying entry "uid=wtruitt, dc=usa, dc=alcatel, dc=com"
ldap_modify: Insufficient access

ldif_record() = 50
$

When I comment out the rootdn and rootpw, I am unable to modify the
entry as either wtruitt or manager.  I can use either to do searches.

You can also see in there, one of my experiments with trying to use the
dn: rather than the u:.  In the sasldb, what is the entry for using dn
rather than u for a DIGEST-MD5 authentication?

I was originally going to try using netscape to import the certificate
when I found that I was unable to use the ldapmodify, but it seems that
netscape does not use either MD5 method.  And even then, I get some sort
of error message:
option "binary" with type not supported

(this message taken out of the debug output of slapd)

I guess that is it.  I will be happy to provide any more details that
may be needed.  My schema is as distributed.
include         /local/wtruitt/etc/openldap/schema/core.schema
include         /local/wtruitt/etc/openldap/schema/cosine.schema
include         /local/wtruitt/etc/openldap/schema/inetorgperson.schema

Some of the output from my ldapsearch
$ ldapsearch -D "uid=wtruitt,dc=usa,dc=alcatel,dc=com" \
> -b "dc=usa,dc=alcatel,dc=com" "(objectclass=*)"
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: wtruitt
SASL realm: sun1464.ssd.usa.alcatel.com
SASL SSF: 128
SASL installing layers
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# usa, dc=alcatel, dc=com
dn: dc=usa, dc=alcatel, dc=com
dc: usa
o: Alcatel USA
objectClass: organization
objectClass: dcObject

# Manager, dc=usa, dc=alcatel, dc=com
dn: cn=Manager, dc=usa, dc=alcatel, dc=com
cn: Manager
sn: Manager
objectClass: person

# wtruitt, dc=usa, dc=alcatel, dc=com
dn: uid=wtruitt, dc=usa, dc=alcatel, dc=com
cn: Walter Truitt
sn: Truitt
givenName: Walter
uid: wtruitt
o: Alcatel USA
mail: Walter.Truitt@usa.alcatel.com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson