I have compiled and installed Cyrus SASL 1.5.24 and Openldap 2.0.1.8.
I have created users in the sasldb using the saslpasswd utility.
I have verified that the SASL module is working using the sample client and server utilities that come with the Cyrus sasl.
After about a week of working on this, I still can't figure out how to get OpenLdap to authenticate using the Cyrus sasl. I have looked
an enormous amount of documentation, none of which clearly describes the configuration at least in a manner that I have been able to
understand. I'm still not sure what need to be in the slapd.conf for sasl authentication and I'm still confused with what if anything goes in
the userPassword attribute of the ldap database. I have been able to do ldapsearches using simple binding but whenever I try to authenticate
using sasl binding. When I try to perform a search using the ldapsearch as follows:
ldapsearch -H ldap:///guinness.emax.com -p389 -x -b -s base -LLL supportedSASLMechanisms
I get the following as a result:
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
This make me assume that somehow the mechanism I am looking to work with "CRAM-MD5" is being loaded.
I created a user called builder in the sasldb and when I issue the sasldblistusers command, I get the following:
user: builder realm: guinness mech: DIGEST-MD5
user: builder realm: guinness mech: PLAIN
user: builder realm: guinness mech: CRAM-MD5
The password for the user is builder.
When I issue the following command:
ldapsearch -I -b -s base -LLL -H ldap://guinness.emax.com -Y CRAM-MD5
I'll get the following results:
SASL/CRAM-MD5 authentication started
SASL Interaction
Default: builder
Please enter your authorization name:
Please enter you password:
I of course enter builder for both the authorization name and password and get the following results:
ldap_sasl_interactive_bind_s: Unknown error
additional info: no secret in database
I also get the no secret in database from a java ldap client when I try to authenticate using CRAM-MD5.
The ldif for the builder user is as follows:
cn=builder,ou=Newtown,o=SciQuest, c=US
cn: builder
cn: java builder
objectclass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: builder
sn: builder
userPassword: {SASL}
My slapd.conf file looks like this:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
# access to attr=userPassword
# by * write
# by *auth
# by * read
access to *
by * write
by * read
by * auth
by self write
by users read
by anonymous auth
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
#suffix "dc=my-domain,dc=com"
suffix "o=Sciquest,c=US"
rootdn "cn=Manager,o=SciQuest,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw verona
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
# Indices to maintain
index objectClass eq
If anyone has any suggestions, I'm all ears. This thing has been driving me nuts. Thanks in advance.