[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems with SASL, TLS, etc.
My head hurts.
I've compiled OpenLDAP-2.0.11 on a RedHat Linux box. I already have
Cyrus SASL working with Cyrus IMAP and Sendmail AUTH. I compiled
OpenLDAP with the following configuration:
> ./configure --enable-crypt --enable-spasswd --enable-wrappers
> --enable-ldbm --with-tls --with-ldbm-type=btree
I was able to populate the LDAP server using simple authentication
with the root DN and plaintext password I defined in slapd.conf, but
I'm very confused about how to move past this point.
The documentation makes brief reference to replacing the plaintext
"secret" in the slapd.conf file with a secure mechanism such as SASL,
but how does one go about doing this? I tried following the
instructions I found in an archived message which instructed
replacing the "rootpw [secret]" line with "rootpw {SASL}root",
but it didn't seem to help. I'd really like to implement ACLs for
updating the LDAP server, etc. but I haven't been able to get any
authentication past "rootpw [plain secret]" to work at all.
Where exactly is the SASL layer supposed to sit in the whole LDAP
scheme? Is it used for binding? Or for an additionaly
authentication layer prior to binding? How does the ldappasswd
utility work? I can't seem to generate any passwords at all, for any
users. Whenever I try, I receive the following error:
> Result: DSA is unwilling to perform (53)
> Additional info: operation not supported for current user
Where are the passwords it generates (when it does) stored? In
/etc/sasldb? In the LDAP database itself? If the latter, why have
SASL at all?
How do I convince the server (and LDAP related utilities) to use SASL
LOGIN or PLAIN methods? I'd expect this to be necessary for (the
majority of) clients which don't support SASL directly and are hence
unable to use CRAM-MD5 or DIGEST-MD5. PLAIN and LOGIN show up in the
list of supportedSASLMechanisms (only when using TLS, which is nice)
but if I use -Z with ldapsearch and specify PLAIN or LOGIN SASL
methods (with the -Y flag), I receive the following error:
> ldap_sasl_interactive_bind_s: Unknown authentication method
Perhaps I haven't configured the SASL plaintext logins properly for
slapd. What is the name of the slapd binary internally as far as
SASL is concerned? (Ie, what's the name of the [name].conf file
which needs to be created in /usr/lib/sasl? And the
/etc/pam.d/[servicename] file, for that matter?)
Is there *anywhere* where any of this is documented? I've been
looking for weeks now, and so far I've been completely unsuccessful.
Any pointers or answers to these questions would be greatly
appreciated.
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.