[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authentication - please help



Hello everyone,

After 25 hours of work on installing OpenLDAP 2.0.11 with SASL, I'm writing 
to you for help.  I realize this is one of the most commonly asked questions 
on the list. I have already reviewed the 518 posts that are in the list 
archive (search for "SASL;2001") and have not found my answer.  However, I 
have printed out and followed the instructions in those that seemed most 
promising.  I have also reviewed the man pages, the systems administrators 
guide, an "Exchange Server Replacement How-To", and a "LDAP v3 How-To" by 
Turbo Fredrikson.

I would like to use SASL to encrypt the username & password used in 
replication.  I don't mind if the rest of the replication traffic goes plain 
text over the wire - user passwords aren't being stored on the LDAP server.  
I don't see any need to install Kerberos.  You'll note in the installation 
instructions, I specifically mention OpenSSL - I don't believe this is 
required to use SASL but I've installed it "just in case".

My most recent attempt was working on a clean install on a blank hard drive.  
I would like to present you with the problem, and with the steps I have taken 
to install the relevant software.  These steps are being written as part of 
an installation guide for a project I am working on.  So that you know, 
OpenLDAP, OpenSSL, and Cyrus SASL are all compiled from the most recent 
source versions.  As well, I confirmed that SASL was working using the 
sample-server and sample-client programs.  The 'make test' for OpenLDAP 
completed without error.

I am doing this in the hopes that someone who has successfully configured 
OpenLDAP with SASL will email me with a solution, or some direction to take.  
I have followed what few instructions that I have found to the best of my 
abilities.

Note: this is a long email.  If you feel like skipping down to the next 
section, use your find command and look for ---

---The problem, as seen from the client machine---

[root@server /root]# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
dn:

[root@server /root]# ldapsearch -d 2
ber_flush: 64 bytes to sd 3
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ldap_write: want=64, written=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  09                                                 .
ldap_read: want=9, got=9
  0000:  02 01 01 64 04 04 00 30  00                        ...d...0.
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  0c                                                 .
ldap_read: want=12, got=12
  0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........
request 1 done
ldap_sasl_interactive_bind_s: No such attribute

---The problem, as seen from the primary LDAP server---

[root@ldap openldap]# /usr/local/libexec/slurpd -d 255
Config: opening config file "/usr/local/etc/openldap/slapd.conf"
Config: (include                /usr/local/etc/openldap/schema/core.schema)
Config: (include                /usr/local/etc/openldap/schema/cosine.schema)
Config: (include                
/usr/local/etc/openldap/schema/inetorgperson.schema)
Config: (include                /usr/local/etc/openldap/schema/local.schema)
Config: (pidfile                /usr/local/var/slapd.pid)
Config: (argsfile       /usr/local/var/slapd.args)
Config: (loglevel 0)
Config: (idletimeout 30)
Config: (sizelimit 100)
Config: (timelimit 120)
Config: (defaultsearchbase "dc=company,dc=com")
Config: (schemacheck on)
Config: (database       ldbm)
Config: (replica host=server.company.com:389    
binddn="cn=LDAProot,dc=company,dc=com"   bindmethod=sasl saslmech=DIGEST-MD5  
   authcID="server.company.com"   realm=server.company.com 
credentials="c19vffxx")
Config: ** successfully added replica "server.company.com:389"
Config: (replogfile     /usr/local/etc/openldap/replog/replog.log)
Config: (lastmod                off)
Config: (suffix         "dc=company,dc=com")
Config: (rootdn         "cn=LDAProot,dc=company,dc=com")
Config: (rootpw         {crypt}SAf0p11tbz3MQ)
Config: (directory      /usr/local/var/openldap-ldbm)
Config: (index  objectClass                             eq,pres)
Config: (index  uid                                     eq)
Config: (index  cn                                      eq,sub)
Config: (index  mail                                    eq,pres,sub)
Config: (index  givenName                               eq,sub)
Config: (index  sn                                      eq,sub)
Config: (index  o                                       eq,sub)
Config: (access to attr=userPassword    by dn="cn=LDAPRoot, dc=company, 
dc=com" write    by * none)
Config: (access to *    by anonymous read       by dn="cn=LDAPRoot, 
dc=company, dc=com" write)
Config: (dbnolocking)
Config: (dbnosync)
Config: (cachesize 10000)
Config: (dbcachesize 100000)
Config: ** configuration file successfully read and parsed
Retrieved state information for server.company.com:389 (timestamp 997309400.0)
begin replication thread for server.company.com:389
Replica server.company.com:389, skip repl record for 
uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
Initializing session to server.company.com:389
ldap_create
bind to server.company.com as server.company.com via DIGEST-MD5 (SASL)
ldap_interactive_sasl_bind_s: user selected: DIGEST-MD5
ldap_int_sasl_bind: DIGEST-MD5
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: server.company.com
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 54 bytes to sd 6
  0000:  30 34 02 01 01 60 2f 02  01 03 04 1c 63 6e 3d 4c   04...`/.....cn=L
  0010:  44 41 50 72 6f 6f 74 2c  64 63 3d 73 61 66 65 63   DAProot,dc=compan
  0020:  6f 2c 64 63 3d 63 6f 6d  a3 0c 04 0a 44 49 47 45   y,dc=com....DIGE
  0030:  53 54 2d 4d 44 35                                  ST-MD5
ldap_write: want=54, written=54
  0000:  30 34 02 01 01 60 2f 02  01 03 04 1c 63 6e 3d 4c   04...`/.....cn=L
  0010:  44 41 50 72 6f 6f 74 2c  64 63 3d 73 61 66 65 63   DAProot,dc=compan
  0020:  6f 2c 64 63 3d 63 6f 6d  a3 0c 04 0a 44 49 47 45   y,dc=com....DIGE
  0030:  53 54 2d 4d 44 35                                  ST-MD5
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: server.company.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 23 12:31:48 2001

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  0c                                                 .
ldap_read: want=12, got=12
  0000:  02 01 01 61 07 0a 01 07  04 00 04 00               ...a........
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807f120 ptr=0x0807f120 end=0x0807f12c len=12
  0000:  02 01 01 61 07 0a 01 07  04 00 04 00               ...a........
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
  0000:  61 07 0a 01 07 04 00 04  00                        a........
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
  0000:  61 07 0a 01 07 04 00 04  00                        a........
ldap_msgfree
ldap_err2string
Error: LDAP SASL for server.company.com:389 failed: Authentication method not 
supported
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
  0000:  30 05 02 01 02 42 00                               0....B.
ldap_write: want=7, written=7
  0000:  30 05 02 01 02 42 00                               0....B.
ldap_free_connection: actually freed
fm: exiting
Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on 
replica server.company.com:389
end replication thread for server.company.com:389
slurpd: terminated.[

--- Steps to Reproduce ---

1.To begin, insert Red Hat Linux CD 1 in the CD-ROM drive.  Turn off the 
computer and turn it on again.
2."Welcome to Red Hat Linux 7.1" will appear on screen.  Press the ENTER key.
3.Debugging information will appear on screen.  The screen will briefly turn 
blue, and then additional debugging information will appear.  Wait for the 
Red Hat logo to appear on screen.
4.In Language Selection, confirm that "English" is selected and press Next.
5.In Keyboard Configuration, confirm that "Generic 105-key (Intl) PC" is 
selected. Confirm that U.S. English is selected.  Select "Disable dead keys." 
 Press Next.
6.In Mouse Configuration, select "2 Button Mouse (PS/2)".  Select "Emulate 3 
buttons".  Press next.
7.On the Welcome to Red Hat Linux screen, press Next.
8.In Install Options, select "Server System".
9.In Disk Partitioning, select "Manually partition with Disk Druid" and press 
Next
10.Using the mouse, delete any existing partitions.  Using the Add button, 
add the following partitions:
Mount point: (Not set) Size = 2x Physical RAM in server. Partition Type: 
Linux Swap. 
Mount point: /var Size = 650 Partition Type: Linux Native
Mount point: / Use remaining space - checked.  Partition Type: Linux Native.
11.In Choose Partitions to Format select all partitions.  As well, select 
"Check for bad blocks while formatting".
12.In Network Configuration, select the eth0 tab.  Clear "Configure using 
DHCP."   Type in the appropriate values for IP address, NetMask, Network, 
Broadcast, Hostname, Gateway, and the DNS servers.  If there are multiple 
NICs in the server, select the eth1, eth2, etc. tabs and set appropriate 
values.
13.In Firewall Configuration, select "No Firewall".  Later in this guide, the 
Bastille Firewall will be installed. Detailed instructions for how to 
configure this firewall are provided in the Red Hat Linux Configuration 
Guide.  Press Next.
14.In Language Support Selection, confirm that "English (USA)" is selected.  
Press Next.
15.In Time Zone Selection, select "America/Vancouver".  Press Next.
16.In Account Configuration, type the Root Password in "Root Password" and in 
"Confirm".  Add a second account admin with the following properties:
Account Name: admin
Password: (your password)
Password (confirm): (your password)
Full Name: administrative user
Press "Add" to add the new account.  Do not add additional accounts at this 
time.
17.In Selecting Package Groups, confirm that all packages are cleared.  
Select "Select individual packages", and press Next.
18.The next screen will be titled "Individual Package Selection".  A 
tree-view of available package categories will appear on the left side of the 
screen, while individual packages appear on the right.
Applications - Communications: press "Unselect all in group".
Applications - Editors: press "Unselect all in group".
Applications - Internet: clear "elm", "fetchmail", "finger", "ftp", "im", 
"metamail", "ncftp", "nmh", "pine", "rsh", "rsync", "slrn", "talk", and 
"telnet".
Applications - Publishing: clear "ghostscript" and "ghostscript-fonts".
Applications - System: clear "isdn4k-utils".  Select "linuxconf" and 
"mtools".  Clear "rdist".  Select "samba-client" and "samba-common".
Development - Libraries - clear openssl-devel
System Environment - Base: clear "chkfontpath".
System Environment - Daemons: clear "LPRng", "XFree86-xfs", "anonftp", 
"finger server", "inews", "ppp", "printconf", "rp-ppoe", "rsh-server", 
"rusers", "rusers-server", "rwall", "rwall-server", "rwho", "talk-server", 
"telnet-server", "wu-ftpd", and "wvdial".
System Environment - Kernel: select "kernel-enterprise".
System Environment - Libraries: clear "VFlib2"
User Environment - X: clear "urw-fonts" and "xtt-fonts".
17.Press Next.
18.In About to Install, press Next.
19.In Installing Packages, the file system will be formatted.  Packages will 
be copied to the hard disk.  When prompted, insert Red Hat Linux Disk Two 
into the CD-ROM drive and press Ok.
20.In Boot Disk Creation, insert a blank floppy disk into the floppy drive 
and press Next.  The boot disk will be created.
21.In Congratulations, remove the floppy disk from the drive.  Label this 
"BOOT FLOPPY" and do not lose it.  Press Exit.
22.The system will shut down and the CD-ROM will eject.  IMMEDIATELY remove 
the CD-ROM from the drive.
23.Lilo will show.  You do not need to press Enter for Linux to boot.
24.Linux boot messages will show.  Services will start, and network 
interfaces will start. When "Red Hat Linux release 7.1 (Seawolf)" appears on 
screen, you may continue.
Updating Linux with post-release fixes
25.Log in as root.
26.Insert the Project CD-ROM into the CD-ROM drive.
27.Mount the CD-ROM by typing mount /mnt/cdrom
28.Switch to the updates folder of the CD-ROM by typing cd /mnt/cdrom/updates
29.Type rpm -Uvh gcc/libstdc++-2.96-85.i386.rpm 
gcc/libstdc++-devel-2.96-85.i386.rpm and press Enter.
30.Type rpm -Uvh gnupg/gnupg-1.0.6-1.i386.rpm and press Enter.
31.Type rpm -Uvh mount/losetup-2.11b-3.i386.rpm mount/mount-2.11b-3.i386.rpm 
and press Enter.
32.Type  rpm -Uvh xinetd/xinetd-2.3.0-1.71.i386.rpm and press Enter.
33.Type cat /etc/lilo.conf and look for the section that starts with 
image=/boot/vmlinuz-2.4.2-2 . This indicates which hard disk partition Linux 
is installed on.  Make a note of the line that begins with root= .  For 
example, root=/dev/hda2 .
34.Type rpm -ivh kernel/i686/kernel-enterprise-2.4.3-12.i686.rpm and press 
Enter.
35.Type vi /etc/lilo.conf and press Enter.
36.Move the cursor down to the end of the file and press a.  Type the 
following lines below, replacing /dev/hdaXX with the value you determined in 
step 33.
image = /boot/vmlinuz-2.4.3-12
  label = linux
  root = /dev/hdaXX 
37.Find the section that begins with  image=/boot/vmlinuz-2.4.2-2 . Move the 
cursor down to the line that says label = linux .  Modify this line to read 
label = linux.old .
38.Press the Escape key, type :w and press Enter.  Type :q and press Enter.
39.Type lilo -v and press Enter.
40.Type cd and press Enter.
41.Type umount mnt/cdrom and press Enter.  You do not need to remove the 
CD-ROM from the CD-ROM drive.
42.Type cd and press Enter.
43.Type source .bash_profile and press Enter.
44.Type shutdown now -r and press Enter.  The server will reboot.
45.The Lilo screen will be shown with two choices - linux and linux old.  You 
do not need to press Enter for the boot sequence to continue.
46.Once again, log in as root.
47.Type mkbootdisk --device /dev/fd0 2.4.3-12 and press Enter.  Press Enter a 
second time.  This updates the boot disk with information about the new 
kernel.  Label this disk as (servername) Boot Disk
Installing Bastille
48.Mount the CD-ROM with the command mount /mnt/cdrom .  Press Enter.
49.Type cd /mnt/cdrom/Bastille/ and press Enter.
50.Type rpm --nodeps -ivh perl-Curses-1.05-2mdk.i586.rpm and press Enter.
51.Type rpm -ivh Bastille-1.2.0-1.1mdk.noarch.rpm 
Bastille-Curses-module-1.2.0-1.1mdk.noarch.rpm and press Enter.
Compiling & Installing OpenSSL libraries
52.Type cp /mnt/cdrom/openssl/openssl-0.9.6b.tar.gz /usr/src and press Enter.
53.Type cd /usr/src and press Enter.
54.Type tar -xzvf openssl-0.9.6b.tar.gz  and press Enter.
55.Type cd /openssl-0.9.6b and press Enter.
56.Type ./config --prefix=/usr --openssldir=/usr/lib/ssl and press Enter.
57.Type make -f Makefile.ssl all and press Enter.
58.Type make -f Makefile.ssl install and press Enter.
Compiling & Installing Cyrus SASL libraries
59.Type cp /mnt/cdrom/cyrus/cyrus-sasl-1.5.24.tar.gz /usr/src and press Enter.
60.Type cd and press Enter.
61.Type umount /mnt/cdrom and press Enter.  You should eject the CD-ROM from 
the CD-ROM drive.
62.Type cd /usr/src and press Enter.
63.Type tar -xzvf cyrus-sasl-1.5.24.tar.gz and press Enter.
64.Type cd cyrus-sasl-1.5.24 and press Enter.
65.Type ./configure --enable-plain --disable-krb4 and press Enter.
66.Type make and press Enter.
67.Type make install and press Enter.
68.Type ln /usr/lib/sasl /usr/local/lib/sasl -d and press Enter.
19.Type linuxconf and press Enter.
20.A welcome screen will appear.  Press Quit (this is not intuitive).
21.Using the cursor keys, select Config - Networking - Client Tasks and press 
Enter.  Select Host Name and IP Network Devices and press Enter.
22.In the "Host Name and Domain" field, input the appropriate server host 
name (if it's not already there).
23.Press Accept (use either the mouse or the tab key).
24.Press Dismiss.
25.Press Quit.  When prompted, press Do It.
69.Type saslpasswd -c LDAProot and press Enter.  When prompted, enter the 
password for LDAProot and press Enter.
70.Type sasldblistusers and press Enter.  The output should be as follows:
user: LDAProot realm: server.company.com mech: DIGEST-MD5
user: LDAProot realm: server.company.com mech: PLAIN
user: LDAProot realm: server.company.com mech: CRAM-MD5
(where server should be equal to the server name).
Compiling & Installing OpenLDAP
71.Type cd../OpenLDAP and press Enter.
72.Type cp openldap-stable-20010524.tgz /usr/src and press Enter.
73.Type cd /usr/src and press Enter.
74.Type tar -xzvf openldap-stable-20010524.tgz and press Enter.
75.Type cd openldap-2.0.11/ and press Enter.
76.Type ./configure --with-cyrus-sasl --enable-spasswd and press Enter.
77.The last line of the output should read Please "make depend" to build 
dependencies.
78.Type make depend and press Enter.
79.Type make and press Enter.
80.Type make test and press Enter.  This verifies that the software has 
compiled correctly.
81.Type make install and press Enter.

---The contents of slapd.conf---

Please note: this is the slapd.conf from the backup LDAP server.  The primary 
LDAP server has the "replica host" lines uncommented, and the "updatedn" / 
"updateref" lines commented out.


# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

sasl-host	server.company.com
sasl-realm	company.COM

include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/local.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/usr/local/var/slapd.pid
argsfile	/usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/local/libexec/openldap
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

#LDAP_Version_3
loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on

#######################################################################
# ldbm database definitions
#######################################################################

database	ldbm
## REPLICATION OPTIONS
#replica host=server.company.com:389
#	bindmethod=simple
#	binddn="cn=LDAProot,dc=company,dc=com"
#	credentials=password
updatedn "cn=LDAProot,dc=company,dc=com"
updateref "ldap://ldap.company.com";

replogfile	/usr/local/etc/openldap/replog/replog.log
lastmod		off

suffix		"dc=company,dc=com"
rootdn		"cn=LDAProot,dc=company,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		{SASL}LDAProot
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory	/usr/local/var/openldap-ldbm
# Indices to maintain

index	objectClass				eq,pres
index	uid					eq

index	cn					eq,sub
index	mail					eq,pres,sub
index	givenName				eq,sub
index	sn					eq,sub
index	o					eq,sub

#ldbm access control definitions
access to attr=userPassword
	by dn="cn=LDAPRoot, dc=company, dc=com" write
	by * none

access to *
	by anonymous read
	by dn="cn=LDAPRoot, dc=company, dc=com" write

dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000


I look forward to any responses.


Kayne McGladrey
k.mcgladrey@worldnet.att.net