[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication - please help



Have you created a saslpasswd file? E.g.:
./saslpasswd cyrus
?
You must have done this to let OL check for mechanisms.

>
> After 25 hours of work on installing OpenLDAP 2.0.11 with SASL, I'm
writing
> to you for help.  I realize this is one of the most commonly asked
questions
> on the list. I have already reviewed the 518 posts that are in the list
> archive (search for "SASL;2001") and have not found my answer.  However, I
> have printed out and followed the instructions in those that seemed most
> promising.  I have also reviewed the man pages, the systems administrators
> guide, an "Exchange Server Replacement How-To", and a "LDAP v3 How-To" by
> Turbo Fredrikson.
>
> I would like to use SASL to encrypt the username & password used in
> replication.  I don't mind if the rest of the replication traffic goes
plain
> text over the wire - user passwords aren't being stored on the LDAP
server.
> I don't see any need to install Kerberos.  You'll note in the installation
> instructions, I specifically mention OpenSSL - I don't believe this is
> required to use SASL but I've installed it "just in case".
>
> My most recent attempt was working on a clean install on a blank hard
drive.
> I would like to present you with the problem, and with the steps I have
taken
> to install the relevant software.  These steps are being written as part
of
> an installation guide for a project I am working on.  So that you know,
> OpenLDAP, OpenSSL, and Cyrus SASL are all compiled from the most recent
> source versions.  As well, I confirmed that SASL was working using the
> sample-server and sample-client programs.  The 'make test' for OpenLDAP
> completed without error.
>
> I am doing this in the hopes that someone who has successfully configured
> OpenLDAP with SASL will email me with a solution, or some direction to
take.
> I have followed what few instructions that I have found to the best of my
> abilities.
>
> Note: this is a long email.  If you feel like skipping down to the next
> section, use your find command and look for ---
>
> ---The problem, as seen from the client machine---
>
> [root@server /root]# ldapsearch -x -b "" -s base -LLL
supportedSASLMechanisms
> dn:
>
> [root@server /root]# ldapsearch -d 2
> ber_flush: 64 bytes to sd 3
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02
0>...c9.........
>   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74
..........object
>   0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74
class0...support
>   0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73
edSASLMechanisms
> ldap_write: want=64, written=64
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02
0>...c9.........
>   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74
..........object
>   0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74
class0...support
>   0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73
edSASLMechanisms
> ldap_read: want=1, got=1
>   0000:  30                                                 0
> ldap_read: want=1, got=1
>   0000:  09                                                 .
> ldap_read: want=9, got=9
>   0000:  02 01 01 64 04 04 00 30  00                        ...d...0.
> ldap_read: want=1, got=1
>   0000:  30                                                 0
> ldap_read: want=1, got=1
>   0000:  0c                                                 .
> ldap_read: want=12, got=12
>   0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........
> request 1 done
> ldap_sasl_interactive_bind_s: No such attribute
>
> ---The problem, as seen from the primary LDAP server---
>
> [root@ldap openldap]# /usr/local/libexec/slurpd -d 255
> Config: opening config file "/usr/local/etc/openldap/slapd.conf"
> Config: (include
/usr/local/etc/openldap/schema/core.schema)
> Config: (include
/usr/local/etc/openldap/schema/cosine.schema)
> Config: (include
> /usr/local/etc/openldap/schema/inetorgperson.schema)
> Config: (include
/usr/local/etc/openldap/schema/local.schema)
> Config: (pidfile                /usr/local/var/slapd.pid)
> Config: (argsfile       /usr/local/var/slapd.args)
> Config: (loglevel 0)
> Config: (idletimeout 30)
> Config: (sizelimit 100)
> Config: (timelimit 120)
> Config: (defaultsearchbase "dc=company,dc=com")
> Config: (schemacheck on)
> Config: (database       ldbm)
> Config: (replica host=server.company.com:389
> binddn="cn=LDAProot,dc=company,dc=com"   bindmethod=sasl
saslmech=DIGEST-MD5
>    authcID="server.company.com"   realm=server.company.com
> credentials="c19vffxx")
> Config: ** successfully added replica "server.company.com:389"
> Config: (replogfile     /usr/local/etc/openldap/replog/replog.log)
> Config: (lastmod                off)
> Config: (suffix         "dc=company,dc=com")
> Config: (rootdn         "cn=LDAProot,dc=company,dc=com")
> Config: (rootpw         {crypt}SAf0p11tbz3MQ)
> Config: (directory      /usr/local/var/openldap-ldbm)
> Config: (index  objectClass                             eq,pres)
> Config: (index  uid                                     eq)
> Config: (index  cn                                      eq,sub)
> Config: (index  mail                                    eq,pres,sub)
> Config: (index  givenName                               eq,sub)
> Config: (index  sn                                      eq,sub)
> Config: (index  o                                       eq,sub)
> Config: (access to attr=userPassword    by dn="cn=LDAPRoot, dc=company,
> dc=com" write    by * none)
> Config: (access to *    by anonymous read       by dn="cn=LDAPRoot,
> dc=company, dc=com" write)
> Config: (dbnolocking)
> Config: (dbnosync)
> Config: (cachesize 10000)
> Config: (dbcachesize 100000)
> Config: ** configuration file successfully read and parsed
> Retrieved state information for server.company.com:389 (timestamp
997309400.0)
> begin replication thread for server.company.com:389
> Replica server.company.com:389, skip repl record for
> uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
> Initializing session to server.company.com:389
> ldap_create
> bind to server.company.com as server.company.com via DIGEST-MD5 (SASL)
> ldap_interactive_sasl_bind_s: user selected: DIGEST-MD5
> ldap_int_sasl_bind: DIGEST-MD5
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host
> ldap_new_socket: 6
> ldap_prepare_socket: 6
> ldap_connect_to_host: Trying 192.168.1.2:389
> ldap_connect_timeout: fd: 6 tm: -1 async: 0
> ldap_ndelay_on: 6
> ldap_is_sock_ready: 6
> ldap_ndelay_off: 6
> ldap_int_sasl_open: server.company.com
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ber_flush: 54 bytes to sd 6
>   0000:  30 34 02 01 01 60 2f 02  01 03 04 1c 63 6e 3d 4c
04...`/.....cn=L
>   0010:  44 41 50 72 6f 6f 74 2c  64 63 3d 73 61 66 65 63
DAProot,dc=compan
>   0020:  6f 2c 64 63 3d 63 6f 6d  a3 0c 04 0a 44 49 47 45
y,dc=com....DIGE
>   0030:  53 54 2d 4d 44 35                                  ST-MD5
> ldap_write: want=54, written=54
>   0000:  30 34 02 01 01 60 2f 02  01 03 04 1c 63 6e 3d 4c
04...`/.....cn=L
>   0010:  44 41 50 72 6f 6f 74 2c  64 63 3d 73 61 66 65 63
DAProot,dc=compan
>   0020:  6f 2c 64 63 3d 63 6f 6d  a3 0c 04 0a 44 49 47 45
y,dc=com....DIGE
>   0030:  53 54 2d 4d 44 35                                  ST-MD5
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: server.company.com  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Thu Aug 23 12:31:48 2001
>
> ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** Response Queue:
>    Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> do_ldap_select
> read1msg: msgid 1, all 1
> ber_get_next
> ldap_read: want=1, got=1
>   0000:  30                                                 0
> ldap_read: want=1, got=1
>   0000:  0c                                                 .
> ldap_read: want=12, got=12
>   0000:  02 01 01 61 07 0a 01 07  04 00 04 00               ...a........
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x0807f120 ptr=0x0807f120 end=0x0807f12c len=12
>   0000:  02 01 01 61 07 0a 01 07  04 00 04 00               ...a........
> ldap_read: message type bind msgid 1, original id 1
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
>   0000:  61 07 0a 01 07 04 00 04  00                        a........
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 1
> request 1 done
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_sasl_bind_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
>   0000:  61 07 0a 01 07 04 00 04  00                        a........
> ldap_msgfree
> ldap_err2string
> Error: LDAP SASL for server.company.com:389 failed: Authentication method
not
> supported
> ldap_unbind
> ldap_free_connection
> ldap_send_unbind
> ber_flush: 7 bytes to sd 6
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_write: want=7, written=7
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_free_connection: actually freed
> fm: exiting
> Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
> replica server.company.com:389
> end replication thread for server.company.com:389
> slurpd: terminated.[
>
> --- Steps to Reproduce ---
>
> 1.To begin, insert Red Hat Linux CD 1 in the CD-ROM drive.  Turn off the
> computer and turn it on again.
> 2."Welcome to Red Hat Linux 7.1" will appear on screen.  Press the ENTER
key.
> 3.Debugging information will appear on screen.  The screen will briefly
turn
> blue, and then additional debugging information will appear.  Wait for the
> Red Hat logo to appear on screen.
> 4.In Language Selection, confirm that "English" is selected and press
Next.
> 5.In Keyboard Configuration, confirm that "Generic 105-key (Intl) PC" is
> selected. Confirm that U.S. English is selected.  Select "Disable dead
keys."
>  Press Next.
> 6.In Mouse Configuration, select "2 Button Mouse (PS/2)".  Select "Emulate
3
> buttons".  Press next.
> 7.On the Welcome to Red Hat Linux screen, press Next.
> 8.In Install Options, select "Server System".
> 9.In Disk Partitioning, select "Manually partition with Disk Druid" and
press
> Next
> 10.Using the mouse, delete any existing partitions.  Using the Add button,
> add the following partitions:
> Mount point: (Not set) Size = 2x Physical RAM in server. Partition Type:
> Linux Swap.
> Mount point: /var Size = 650 Partition Type: Linux Native
> Mount point: / Use remaining space - checked.  Partition Type: Linux
Native.
> 11.In Choose Partitions to Format select all partitions.  As well, select
> "Check for bad blocks while formatting".
> 12.In Network Configuration, select the eth0 tab.  Clear "Configure using
> DHCP."   Type in the appropriate values for IP address, NetMask, Network,
> Broadcast, Hostname, Gateway, and the DNS servers.  If there are multiple
> NICs in the server, select the eth1, eth2, etc. tabs and set appropriate
> values.
> 13.In Firewall Configuration, select "No Firewall".  Later in this guide,
the
> Bastille Firewall will be installed. Detailed instructions for how to
> configure this firewall are provided in the Red Hat Linux Configuration
> Guide.  Press Next.
> 14.In Language Support Selection, confirm that "English (USA)" is
selected.
> Press Next.
> 15.In Time Zone Selection, select "America/Vancouver".  Press Next.
> 16.In Account Configuration, type the Root Password in "Root Password" and
in
> "Confirm".  Add a second account admin with the following properties:
> Account Name: admin
> Password: (your password)
> Password (confirm): (your password)
> Full Name: administrative user
> Press "Add" to add the new account.  Do not add additional accounts at
this
> time.
> 17.In Selecting Package Groups, confirm that all packages are cleared.
> Select "Select individual packages", and press Next.
> 18.The next screen will be titled "Individual Package Selection".  A
> tree-view of available package categories will appear on the left side of
the
> screen, while individual packages appear on the right.
> Applications - Communications: press "Unselect all in group".
> Applications - Editors: press "Unselect all in group".
> Applications - Internet: clear "elm", "fetchmail", "finger", "ftp", "im",
> "metamail", "ncftp", "nmh", "pine", "rsh", "rsync", "slrn", "talk", and
> "telnet".
> Applications - Publishing: clear "ghostscript" and "ghostscript-fonts".
> Applications - System: clear "isdn4k-utils".  Select "linuxconf" and
> "mtools".  Clear "rdist".  Select "samba-client" and "samba-common".
> Development - Libraries - clear openssl-devel
> System Environment - Base: clear "chkfontpath".
> System Environment - Daemons: clear "LPRng", "XFree86-xfs", "anonftp",
> "finger server", "inews", "ppp", "printconf", "rp-ppoe", "rsh-server",
> "rusers", "rusers-server", "rwall", "rwall-server", "rwho", "talk-server",
> "telnet-server", "wu-ftpd", and "wvdial".
> System Environment - Kernel: select "kernel-enterprise".
> System Environment - Libraries: clear "VFlib2"
> User Environment - X: clear "urw-fonts" and "xtt-fonts".
> 17.Press Next.
> 18.In About to Install, press Next.
> 19.In Installing Packages, the file system will be formatted.  Packages
will
> be copied to the hard disk.  When prompted, insert Red Hat Linux Disk Two
> into the CD-ROM drive and press Ok.
> 20.In Boot Disk Creation, insert a blank floppy disk into the floppy drive
> and press Next.  The boot disk will be created.
> 21.In Congratulations, remove the floppy disk from the drive.  Label this
> "BOOT FLOPPY" and do not lose it.  Press Exit.
> 22.The system will shut down and the CD-ROM will eject.  IMMEDIATELY
remove
> the CD-ROM from the drive.
> 23.Lilo will show.  You do not need to press Enter for Linux to boot.
> 24.Linux boot messages will show.  Services will start, and network
> interfaces will start. When "Red Hat Linux release 7.1 (Seawolf)" appears
on
> screen, you may continue.
> Updating Linux with post-release fixes
> 25.Log in as root.
> 26.Insert the Project CD-ROM into the CD-ROM drive.
> 27.Mount the CD-ROM by typing mount /mnt/cdrom
> 28.Switch to the updates folder of the CD-ROM by typing cd
/mnt/cdrom/updates
> 29.Type rpm -Uvh gcc/libstdc++-2.96-85.i386.rpm
> gcc/libstdc++-devel-2.96-85.i386.rpm and press Enter.
> 30.Type rpm -Uvh gnupg/gnupg-1.0.6-1.i386.rpm and press Enter.
> 31.Type rpm -Uvh mount/losetup-2.11b-3.i386.rpm
mount/mount-2.11b-3.i386.rpm
> and press Enter.
> 32.Type  rpm -Uvh xinetd/xinetd-2.3.0-1.71.i386.rpm and press Enter.
> 33.Type cat /etc/lilo.conf and look for the section that starts with
> image=/boot/vmlinuz-2.4.2-2 . This indicates which hard disk partition
Linux
> is installed on.  Make a note of the line that begins with root= .  For
> example, root=/dev/hda2 .
> 34.Type rpm -ivh kernel/i686/kernel-enterprise-2.4.3-12.i686.rpm and press
> Enter.
> 35.Type vi /etc/lilo.conf and press Enter.
> 36.Move the cursor down to the end of the file and press a.  Type the
> following lines below, replacing /dev/hdaXX with the value you determined
in
> step 33.
> image = /boot/vmlinuz-2.4.3-12
>   label = linux
>   root = /dev/hdaXX
> 37.Find the section that begins with  image=/boot/vmlinuz-2.4.2-2 . Move
the
> cursor down to the line that says label = linux .  Modify this line to
read
> label = linux.old .
> 38.Press the Escape key, type :w and press Enter.  Type :q and press
Enter.
> 39.Type lilo -v and press Enter.
> 40.Type cd and press Enter.
> 41.Type umount mnt/cdrom and press Enter.  You do not need to remove the
> CD-ROM from the CD-ROM drive.
> 42.Type cd and press Enter.
> 43.Type source .bash_profile and press Enter.
> 44.Type shutdown now -r and press Enter.  The server will reboot.
> 45.The Lilo screen will be shown with two choices - linux and linux old.
You
> do not need to press Enter for the boot sequence to continue.
> 46.Once again, log in as root.
> 47.Type mkbootdisk --device /dev/fd0 2.4.3-12 and press Enter.  Press
Enter a
> second time.  This updates the boot disk with information about the new
> kernel.  Label this disk as (servername) Boot Disk
> Installing Bastille
> 48.Mount the CD-ROM with the command mount /mnt/cdrom .  Press Enter.
> 49.Type cd /mnt/cdrom/Bastille/ and press Enter.
> 50.Type rpm --nodeps -ivh perl-Curses-1.05-2mdk.i586.rpm and press Enter.
> 51.Type rpm -ivh Bastille-1.2.0-1.1mdk.noarch.rpm
> Bastille-Curses-module-1.2.0-1.1mdk.noarch.rpm and press Enter.
> Compiling & Installing OpenSSL libraries
> 52.Type cp /mnt/cdrom/openssl/openssl-0.9.6b.tar.gz /usr/src and press
Enter.
> 53.Type cd /usr/src and press Enter.
> 54.Type tar -xzvf openssl-0.9.6b.tar.gz  and press Enter.
> 55.Type cd /openssl-0.9.6b and press Enter.
> 56.Type ./config --prefix=/usr --openssldir=/usr/lib/ssl and press Enter.
> 57.Type make -f Makefile.ssl all and press Enter.
> 58.Type make -f Makefile.ssl install and press Enter.
> Compiling & Installing Cyrus SASL libraries
> 59.Type cp /mnt/cdrom/cyrus/cyrus-sasl-1.5.24.tar.gz /usr/src and press
Enter.
> 60.Type cd and press Enter.
> 61.Type umount /mnt/cdrom and press Enter.  You should eject the CD-ROM
from
> the CD-ROM drive.
> 62.Type cd /usr/src and press Enter.
> 63.Type tar -xzvf cyrus-sasl-1.5.24.tar.gz and press Enter.
> 64.Type cd cyrus-sasl-1.5.24 and press Enter.
> 65.Type ./configure --enable-plain --disable-krb4 and press Enter.
> 66.Type make and press Enter.
> 67.Type make install and press Enter.
> 68.Type ln /usr/lib/sasl /usr/local/lib/sasl -d and press Enter.
> 19.Type linuxconf and press Enter.
> 20.A welcome screen will appear.  Press Quit (this is not intuitive).
> 21.Using the cursor keys, select Config - Networking - Client Tasks and
press
> Enter.  Select Host Name and IP Network Devices and press Enter.
> 22.In the "Host Name and Domain" field, input the appropriate server host
> name (if it's not already there).
> 23.Press Accept (use either the mouse or the tab key).
> 24.Press Dismiss.
> 25.Press Quit.  When prompted, press Do It.
> 69.Type saslpasswd -c LDAProot and press Enter.  When prompted, enter the
> password for LDAProot and press Enter.
> 70.Type sasldblistusers and press Enter.  The output should be as follows:
> user: LDAProot realm: server.company.com mech: DIGEST-MD5
> user: LDAProot realm: server.company.com mech: PLAIN
> user: LDAProot realm: server.company.com mech: CRAM-MD5
> (where server should be equal to the server name).
> Compiling & Installing OpenLDAP
> 71.Type cd../OpenLDAP and press Enter.
> 72.Type cp openldap-stable-20010524.tgz /usr/src and press Enter.
> 73.Type cd /usr/src and press Enter.
> 74.Type tar -xzvf openldap-stable-20010524.tgz and press Enter.
> 75.Type cd openldap-2.0.11/ and press Enter.
> 76.Type ./configure --with-cyrus-sasl --enable-spasswd and press Enter.
> 77.The last line of the output should read Please "make depend" to build
> dependencies.
> 78.Type make depend and press Enter.
> 79.Type make and press Enter.
> 80.Type make test and press Enter.  This verifies that the software has
> compiled correctly.
> 81.Type make install and press Enter.
>
> ---The contents of slapd.conf---
>
> Please note: this is the slapd.conf from the backup LDAP server.  The
primary
> LDAP server has the "replica host" lines uncommented, and the "updatedn" /
> "updateref" lines commented out.
>
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
23:32:43
> kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
>
> sasl-host server.company.com
> sasl-realm company.COM
>
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/local.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /usr/local/var/slapd.pid
> argsfile /usr/local/var/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/local/libexec/openldap
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> #LDAP_Version_3
> loglevel 0
> idletimeout 30
> sizelimit 100
> timelimit 120
> defaultsearchbase "dc=company,dc=com"
> schemacheck on
>
> #######################################################################
> # ldbm database definitions
> #######################################################################
>
> database ldbm
> ## REPLICATION OPTIONS
> #replica host=server.company.com:389
> # bindmethod=simple
> # binddn="cn=LDAProot,dc=company,dc=com"
> # credentials=password
> updatedn "cn=LDAProot,dc=company,dc=com"
> updateref "ldap://ldap.company.com";
>
> replogfile /usr/local/etc/openldap/replog/replog.log
> lastmod off
>
> suffix "dc=company,dc=com"
> rootdn "cn=LDAProot,dc=company,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw {SASL}LDAProot
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd/tools. Mode 700 recommended.
> directory /usr/local/var/openldap-ldbm
> # Indices to maintain
>
> index objectClass eq,pres
> index uid eq
>
> index cn eq,sub
> index mail eq,pres,sub
> index givenName eq,sub
> index sn eq,sub
> index o eq,sub
>
> #ldbm access control definitions
> access to attr=userPassword
> by dn="cn=LDAPRoot, dc=company, dc=com" write
> by * none
>
> access to *
> by anonymous read
> by dn="cn=LDAPRoot, dc=company, dc=com" write
>
> dbnolocking
> dbnosync
> cachesize 10000
> dbcachesize 100000
>
>
> I look forward to any responses.
>
>
> Kayne McGladrey
> k.mcgladrey@worldnet.att.net
>
>