[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL authentication - please help
Hello everyone,
After 25 hours of work on installing OpenLDAP 2.0.11 with SASL, I'm writing
to you for help. I realize this is one of the most commonly asked questions
on the list. I have already reviewed the 518 posts that are in the list
archive (search for "SASL;2001") and have not found my answer. However, I
have printed out and followed the instructions in those that seemed most
promising. I have also reviewed the man pages, the systems administrators
guide, an "Exchange Server Replacement How-To", and a "LDAP v3 How-To" by
Turbo Fredrikson.
I would like to use SASL to encrypt the username & password used in
replication. I don't mind if the rest of the replication traffic goes plain
text over the wire - user passwords aren't being stored on the LDAP server.
I don't see any need to install Kerberos. You'll note in the installation
instructions, I specifically mention OpenSSL - I don't believe this is
required to use SASL but I've installed it "just in case".
My most recent attempt was working on a clean install on a blank hard drive.
I would like to present you with the problem, and with the steps I have taken
to install the relevant software. These steps are being written as part of
an installation guide for a project I am working on. So that you know,
OpenLDAP, OpenSSL, and Cyrus SASL are all compiled from the most recent
source versions. As well, I confirmed that SASL was working using the
sample-server and sample-client programs. The 'make test' for OpenLDAP
completed without error.
I am doing this in the hopes that someone who has successfully configured
OpenLDAP with SASL will email me with a solution, or some direction to take.
I have followed what few instructions that I have found to the best of my
abilities.
Note: this is a long email. If you feel like skipping down to the next
section, use your find command and look for ---
---The problem, as seen from the client machine---
[root@server /root]# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
dn:
[root@server /root]# ldapsearch -d 2
ber_flush: 64 bytes to sd 3
0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ldap_write: want=64, written=64
0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 09 .
ldap_read: want=9, got=9
0000: 02 01 01 64 04 04 00 30 00 ...d...0.
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 0c .
ldap_read: want=12, got=12
0000: 02 01 01 65 07 0a 01 00 04 00 04 00 ...e........
request 1 done
ldap_sasl_interactive_bind_s: No such attribute
---The problem, as seen from the primary LDAP server---
[root@ldap openldap]# /usr/local/libexec/slurpd -d 255
Config: opening config file "/usr/local/etc/openldap/slapd.conf"
Config: (include /usr/local/etc/openldap/schema/core.schema)
Config: (include /usr/local/etc/openldap/schema/cosine.schema)
Config: (include
/usr/local/etc/openldap/schema/inetorgperson.schema)
Config: (include /usr/local/etc/openldap/schema/local.schema)
Config: (pidfile /usr/local/var/slapd.pid)
Config: (argsfile /usr/local/var/slapd.args)
Config: (loglevel 0)
Config: (idletimeout 30)
Config: (sizelimit 100)
Config: (timelimit 120)
Config: (defaultsearchbase "dc=company,dc=com")
Config: (schemacheck on)
Config: (database ldbm)
Config: (replica host=server.company.com:389
binddn="cn=LDAProot,dc=company,dc=com" bindmethod=sasl saslmech=DIGEST-MD5
authcID="server.company.com" realm=server.company.com
credentials="c19vffxx")
Config: ** successfully added replica "server.company.com:389"
Config: (replogfile /usr/local/etc/openldap/replog/replog.log)
Config: (lastmod off)
Config: (suffix "dc=company,dc=com")
Config: (rootdn "cn=LDAProot,dc=company,dc=com")
Config: (rootpw {crypt}SAf0p11tbz3MQ)
Config: (directory /usr/local/var/openldap-ldbm)
Config: (index objectClass eq,pres)
Config: (index uid eq)
Config: (index cn eq,sub)
Config: (index mail eq,pres,sub)
Config: (index givenName eq,sub)
Config: (index sn eq,sub)
Config: (index o eq,sub)
Config: (access to attr=userPassword by dn="cn=LDAPRoot, dc=company,
dc=com" write by * none)
Config: (access to * by anonymous read by dn="cn=LDAPRoot,
dc=company, dc=com" write)
Config: (dbnolocking)
Config: (dbnosync)
Config: (cachesize 10000)
Config: (dbcachesize 100000)
Config: ** configuration file successfully read and parsed
Retrieved state information for server.company.com:389 (timestamp 997309400.0)
begin replication thread for server.company.com:389
Replica server.company.com:389, skip repl record for
uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
Initializing session to server.company.com:389
ldap_create
bind to server.company.com as server.company.com via DIGEST-MD5 (SASL)
ldap_interactive_sasl_bind_s: user selected: DIGEST-MD5
ldap_int_sasl_bind: DIGEST-MD5
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: server.company.com
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 54 bytes to sd 6
0000: 30 34 02 01 01 60 2f 02 01 03 04 1c 63 6e 3d 4c 04...`/.....cn=L
0010: 44 41 50 72 6f 6f 74 2c 64 63 3d 73 61 66 65 63 DAProot,dc=compan
0020: 6f 2c 64 63 3d 63 6f 6d a3 0c 04 0a 44 49 47 45 y,dc=com....DIGE
0030: 53 54 2d 4d 44 35 ST-MD5
ldap_write: want=54, written=54
0000: 30 34 02 01 01 60 2f 02 01 03 04 1c 63 6e 3d 4c 04...`/.....cn=L
0010: 44 41 50 72 6f 6f 74 2c 64 63 3d 73 61 66 65 63 DAProot,dc=compan
0020: 6f 2c 64 63 3d 63 6f 6d a3 0c 04 0a 44 49 47 45 y,dc=com....DIGE
0030: 53 54 2d 4d 44 35 ST-MD5
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: server.company.com port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Aug 23 12:31:48 2001
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 0c .
ldap_read: want=12, got=12
0000: 02 01 01 61 07 0a 01 07 04 00 04 00 ...a........
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807f120 ptr=0x0807f120 end=0x0807f12c len=12
0000: 02 01 01 61 07 0a 01 07 04 00 04 00 ...a........
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
0000: 61 07 0a 01 07 04 00 04 00 a........
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
0000: 61 07 0a 01 07 04 00 04 00 a........
ldap_msgfree
ldap_err2string
Error: LDAP SASL for server.company.com:389 failed: Authentication method not
supported
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
0000: 30 05 02 01 02 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 02 42 00 0....B.
ldap_free_connection: actually freed
fm: exiting
Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
replica server.company.com:389
end replication thread for server.company.com:389
slurpd: terminated.[
--- Steps to Reproduce ---
1.To begin, insert Red Hat Linux CD 1 in the CD-ROM drive. Turn off the
computer and turn it on again.
2."Welcome to Red Hat Linux 7.1" will appear on screen. Press the ENTER key.
3.Debugging information will appear on screen. The screen will briefly turn
blue, and then additional debugging information will appear. Wait for the
Red Hat logo to appear on screen.
4.In Language Selection, confirm that "English" is selected and press Next.
5.In Keyboard Configuration, confirm that "Generic 105-key (Intl) PC" is
selected. Confirm that U.S. English is selected. Select "Disable dead keys."
Press Next.
6.In Mouse Configuration, select "2 Button Mouse (PS/2)". Select "Emulate 3
buttons". Press next.
7.On the Welcome to Red Hat Linux screen, press Next.
8.In Install Options, select "Server System".
9.In Disk Partitioning, select "Manually partition with Disk Druid" and press
Next
10.Using the mouse, delete any existing partitions. Using the Add button,
add the following partitions:
Mount point: (Not set) Size = 2x Physical RAM in server. Partition Type:
Linux Swap.
Mount point: /var Size = 650 Partition Type: Linux Native
Mount point: / Use remaining space - checked. Partition Type: Linux Native.
11.In Choose Partitions to Format select all partitions. As well, select
"Check for bad blocks while formatting".
12.In Network Configuration, select the eth0 tab. Clear "Configure using
DHCP." Type in the appropriate values for IP address, NetMask, Network,
Broadcast, Hostname, Gateway, and the DNS servers. If there are multiple
NICs in the server, select the eth1, eth2, etc. tabs and set appropriate
values.
13.In Firewall Configuration, select "No Firewall". Later in this guide, the
Bastille Firewall will be installed. Detailed instructions for how to
configure this firewall are provided in the Red Hat Linux Configuration
Guide. Press Next.
14.In Language Support Selection, confirm that "English (USA)" is selected.
Press Next.
15.In Time Zone Selection, select "America/Vancouver". Press Next.
16.In Account Configuration, type the Root Password in "Root Password" and in
"Confirm". Add a second account admin with the following properties:
Account Name: admin
Password: (your password)
Password (confirm): (your password)
Full Name: administrative user
Press "Add" to add the new account. Do not add additional accounts at this
time.
17.In Selecting Package Groups, confirm that all packages are cleared.
Select "Select individual packages", and press Next.
18.The next screen will be titled "Individual Package Selection". A
tree-view of available package categories will appear on the left side of the
screen, while individual packages appear on the right.
Applications - Communications: press "Unselect all in group".
Applications - Editors: press "Unselect all in group".
Applications - Internet: clear "elm", "fetchmail", "finger", "ftp", "im",
"metamail", "ncftp", "nmh", "pine", "rsh", "rsync", "slrn", "talk", and
"telnet".
Applications - Publishing: clear "ghostscript" and "ghostscript-fonts".
Applications - System: clear "isdn4k-utils". Select "linuxconf" and
"mtools". Clear "rdist". Select "samba-client" and "samba-common".
Development - Libraries - clear openssl-devel
System Environment - Base: clear "chkfontpath".
System Environment - Daemons: clear "LPRng", "XFree86-xfs", "anonftp",
"finger server", "inews", "ppp", "printconf", "rp-ppoe", "rsh-server",
"rusers", "rusers-server", "rwall", "rwall-server", "rwho", "talk-server",
"telnet-server", "wu-ftpd", and "wvdial".
System Environment - Kernel: select "kernel-enterprise".
System Environment - Libraries: clear "VFlib2"
User Environment - X: clear "urw-fonts" and "xtt-fonts".
17.Press Next.
18.In About to Install, press Next.
19.In Installing Packages, the file system will be formatted. Packages will
be copied to the hard disk. When prompted, insert Red Hat Linux Disk Two
into the CD-ROM drive and press Ok.
20.In Boot Disk Creation, insert a blank floppy disk into the floppy drive
and press Next. The boot disk will be created.
21.In Congratulations, remove the floppy disk from the drive. Label this
"BOOT FLOPPY" and do not lose it. Press Exit.
22.The system will shut down and the CD-ROM will eject. IMMEDIATELY remove
the CD-ROM from the drive.
23.Lilo will show. You do not need to press Enter for Linux to boot.
24.Linux boot messages will show. Services will start, and network
interfaces will start. When "Red Hat Linux release 7.1 (Seawolf)" appears on
screen, you may continue.
Updating Linux with post-release fixes
25.Log in as root.
26.Insert the Project CD-ROM into the CD-ROM drive.
27.Mount the CD-ROM by typing mount /mnt/cdrom
28.Switch to the updates folder of the CD-ROM by typing cd /mnt/cdrom/updates
29.Type rpm -Uvh gcc/libstdc++-2.96-85.i386.rpm
gcc/libstdc++-devel-2.96-85.i386.rpm and press Enter.
30.Type rpm -Uvh gnupg/gnupg-1.0.6-1.i386.rpm and press Enter.
31.Type rpm -Uvh mount/losetup-2.11b-3.i386.rpm mount/mount-2.11b-3.i386.rpm
and press Enter.
32.Type rpm -Uvh xinetd/xinetd-2.3.0-1.71.i386.rpm and press Enter.
33.Type cat /etc/lilo.conf and look for the section that starts with
image=/boot/vmlinuz-2.4.2-2 . This indicates which hard disk partition Linux
is installed on. Make a note of the line that begins with root= . For
example, root=/dev/hda2 .
34.Type rpm -ivh kernel/i686/kernel-enterprise-2.4.3-12.i686.rpm and press
Enter.
35.Type vi /etc/lilo.conf and press Enter.
36.Move the cursor down to the end of the file and press a. Type the
following lines below, replacing /dev/hdaXX with the value you determined in
step 33.
image = /boot/vmlinuz-2.4.3-12
label = linux
root = /dev/hdaXX
37.Find the section that begins with image=/boot/vmlinuz-2.4.2-2 . Move the
cursor down to the line that says label = linux . Modify this line to read
label = linux.old .
38.Press the Escape key, type :w and press Enter. Type :q and press Enter.
39.Type lilo -v and press Enter.
40.Type cd and press Enter.
41.Type umount mnt/cdrom and press Enter. You do not need to remove the
CD-ROM from the CD-ROM drive.
42.Type cd and press Enter.
43.Type source .bash_profile and press Enter.
44.Type shutdown now -r and press Enter. The server will reboot.
45.The Lilo screen will be shown with two choices - linux and linux old. You
do not need to press Enter for the boot sequence to continue.
46.Once again, log in as root.
47.Type mkbootdisk --device /dev/fd0 2.4.3-12 and press Enter. Press Enter a
second time. This updates the boot disk with information about the new
kernel. Label this disk as (servername) Boot Disk
Installing Bastille
48.Mount the CD-ROM with the command mount /mnt/cdrom . Press Enter.
49.Type cd /mnt/cdrom/Bastille/ and press Enter.
50.Type rpm --nodeps -ivh perl-Curses-1.05-2mdk.i586.rpm and press Enter.
51.Type rpm -ivh Bastille-1.2.0-1.1mdk.noarch.rpm
Bastille-Curses-module-1.2.0-1.1mdk.noarch.rpm and press Enter.
Compiling & Installing OpenSSL libraries
52.Type cp /mnt/cdrom/openssl/openssl-0.9.6b.tar.gz /usr/src and press Enter.
53.Type cd /usr/src and press Enter.
54.Type tar -xzvf openssl-0.9.6b.tar.gz and press Enter.
55.Type cd /openssl-0.9.6b and press Enter.
56.Type ./config --prefix=/usr --openssldir=/usr/lib/ssl and press Enter.
57.Type make -f Makefile.ssl all and press Enter.
58.Type make -f Makefile.ssl install and press Enter.
Compiling & Installing Cyrus SASL libraries
59.Type cp /mnt/cdrom/cyrus/cyrus-sasl-1.5.24.tar.gz /usr/src and press Enter.
60.Type cd and press Enter.
61.Type umount /mnt/cdrom and press Enter. You should eject the CD-ROM from
the CD-ROM drive.
62.Type cd /usr/src and press Enter.
63.Type tar -xzvf cyrus-sasl-1.5.24.tar.gz and press Enter.
64.Type cd cyrus-sasl-1.5.24 and press Enter.
65.Type ./configure --enable-plain --disable-krb4 and press Enter.
66.Type make and press Enter.
67.Type make install and press Enter.
68.Type ln /usr/lib/sasl /usr/local/lib/sasl -d and press Enter.
19.Type linuxconf and press Enter.
20.A welcome screen will appear. Press Quit (this is not intuitive).
21.Using the cursor keys, select Config - Networking - Client Tasks and press
Enter. Select Host Name and IP Network Devices and press Enter.
22.In the "Host Name and Domain" field, input the appropriate server host
name (if it's not already there).
23.Press Accept (use either the mouse or the tab key).
24.Press Dismiss.
25.Press Quit. When prompted, press Do It.
69.Type saslpasswd -c LDAProot and press Enter. When prompted, enter the
password for LDAProot and press Enter.
70.Type sasldblistusers and press Enter. The output should be as follows:
user: LDAProot realm: server.company.com mech: DIGEST-MD5
user: LDAProot realm: server.company.com mech: PLAIN
user: LDAProot realm: server.company.com mech: CRAM-MD5
(where server should be equal to the server name).
Compiling & Installing OpenLDAP
71.Type cd../OpenLDAP and press Enter.
72.Type cp openldap-stable-20010524.tgz /usr/src and press Enter.
73.Type cd /usr/src and press Enter.
74.Type tar -xzvf openldap-stable-20010524.tgz and press Enter.
75.Type cd openldap-2.0.11/ and press Enter.
76.Type ./configure --with-cyrus-sasl --enable-spasswd and press Enter.
77.The last line of the output should read Please "make depend" to build
dependencies.
78.Type make depend and press Enter.
79.Type make and press Enter.
80.Type make test and press Enter. This verifies that the software has
compiled correctly.
81.Type make install and press Enter.
---The contents of slapd.conf---
Please note: this is the slapd.conf from the backup LDAP server. The primary
LDAP server has the "replica host" lines uncommented, and the "updatedn" /
"updateref" lines commented out.
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
sasl-host server.company.com
sasl-realm company.COM
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/local.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#LDAP_Version_3
loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
## REPLICATION OPTIONS
#replica host=server.company.com:389
# bindmethod=simple
# binddn="cn=LDAProot,dc=company,dc=com"
# credentials=password
updatedn "cn=LDAProot,dc=company,dc=com"
updateref "ldap://ldap.company.com";
replogfile /usr/local/etc/openldap/replog/replog.log
lastmod off
suffix "dc=company,dc=com"
rootdn "cn=LDAProot,dc=company,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SASL}LDAProot
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
# Indices to maintain
index objectClass eq,pres
index uid eq
index cn eq,sub
index mail eq,pres,sub
index givenName eq,sub
index sn eq,sub
index o eq,sub
#ldbm access control definitions
access to attr=userPassword
by dn="cn=LDAPRoot, dc=company, dc=com" write
by * none
access to *
by anonymous read
by dn="cn=LDAPRoot, dc=company, dc=com" write
dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000
I look forward to any responses.
Kayne McGladrey
k.mcgladrey@worldnet.att.net