[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with SASL, TLS, etc.



My head hurts.

I've compiled OpenLDAP-2.0.11 on a RedHat Linux box.  I already have 
Cyrus SASL working with Cyrus IMAP and Sendmail AUTH.  I compiled 
OpenLDAP with the following configuration:

> ./configure  --enable-crypt --enable-spasswd --enable-wrappers
> --enable-ldbm --with-tls --with-ldbm-type=btree

I was able to populate the LDAP server using simple authentication 
with the root DN and plaintext password I defined in slapd.conf, but 
I'm very confused about how to move past this point.

The documentation makes brief reference to replacing the plaintext 
"secret" in the slapd.conf file with a secure mechanism such as SASL, 
but how does one go about doing this?  I tried following the 
instructions I found in an archived message which instructed 
replacing the "rootpw   [secret]" line with "rootpw   {SASL}root", 
but it didn't seem to help.  I'd really like to implement ACLs for 
updating the LDAP server, etc. but I haven't been able to get any 
authentication past "rootpw    [plain secret]" to work at all.

Where exactly is the SASL layer supposed to sit in the whole LDAP 
scheme?  Is it used for binding?  Or for an additionaly 
authentication layer prior to binding?  How does the ldappasswd 
utility work?  I can't seem to generate any passwords at all, for any 
users.  Whenever I try, I receive the following error: 

> Result: DSA is unwilling to perform (53)
> Additional info: operation not supported for current user

Where are the passwords it generates (when it does) stored?  In 
/etc/sasldb?  In the LDAP database itself?  If the latter, why have 
SASL at all?

How do I convince the server (and LDAP related utilities) to use SASL 
LOGIN or PLAIN methods?  I'd expect this to be necessary for (the 
majority of) clients which don't support SASL directly and are hence 
unable to use CRAM-MD5 or DIGEST-MD5.  PLAIN and LOGIN show up in the 
list of supportedSASLMechanisms (only when using TLS, which is nice) 
but if I use -Z with ldapsearch and specify PLAIN or LOGIN SASL 
methods (with the -Y flag), I receive the following error:

> ldap_sasl_interactive_bind_s: Unknown authentication method

Perhaps I haven't configured the SASL plaintext logins properly for 
slapd.  What is the name of the slapd binary internally as far as 
SASL is concerned?  (Ie, what's the name of the [name].conf file 
which needs to be created in /usr/lib/sasl?  And the 
/etc/pam.d/[servicename] file, for that matter?)

Is there *anywhere* where any of this is documented?  I've been 
looking for weeks now, and so far I've been completely unsuccessful.

Any pointers or answers to these questions would be greatly 
appreciated.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.