[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help Configuring OpenLDAP for SASL using CRAM-MD5



Title: Help Configuring OpenLDAP for SASL using CRAM-MD5

I have compiled and installed Cyrus SASL 1.5.24 and Openldap 2.0.1.8.

I have created users in the sasldb using the saslpasswd utility.
I have verified that the SASL module is working using the sample client and server utilities that come with the Cyrus sasl.

After about a week of working on this, I still can't figure out how to get OpenLdap to authenticate using the Cyrus sasl. I have looked

an enormous amount of documentation, none of which clearly describes the configuration at least in a manner that I have been able to

understand. I'm still not sure what need to be in the slapd.conf for sasl authentication and I'm still confused with what if anything goes in

the userPassword attribute of the ldap database. I have been able to do ldapsearches using simple binding but whenever I try to authenticate

using sasl binding. When I try to perform a search using the ldapsearch as follows:

ldapsearch -H ldap:///guinness.emax.com -p389 -x -b  -s base -LLL supportedSASLMechanisms

I get the following as a result:

dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

This make me assume that somehow the mechanism I am looking to work with "CRAM-MD5" is being loaded.

I created a user called builder in the sasldb and when I issue the sasldblistusers command, I get the following:

user: builder realm: guinness mech: DIGEST-MD5
user: builder realm: guinness mech: PLAIN
user: builder realm: guinness mech: CRAM-MD5

The password for the user is builder.

When I issue the following command:

ldapsearch -I -b  -s base -LLL -H ldap://guinness.emax.com -Y CRAM-MD5

I'll get the following results:

SASL/CRAM-MD5 authentication started
SASL Interaction
Default: builder
Please enter your authorization name:
Please enter you password:

I of course enter builder for both the authorization name and password and get the following results:

ldap_sasl_interactive_bind_s: Unknown error
        additional info: no secret in database

I also get the no secret in database from a java ldap client when I try to authenticate using CRAM-MD5.


The ldif for the builder user is as follows:

cn=builder,ou=Newtown,o=SciQuest, c=US
cn: builder
cn: java builder
objectclass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: builder
sn: builder
userPassword: {SASL}

My slapd.conf file looks like this:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#
# Sample Access Control
#       Allow read access of root DSE
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
#access to dn="" by * read
# access to attr=userPassword
 #            by * write
  #           by *auth
   #          by * read

access to *
              by * write
              by * read
              by * auth
              by self write
        by users read
        by anonymous auth

# if no access controls are present, the default is:
#       Allow read by all
#
# rootdn can always write!

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
#suffix         "dc=my-domain,dc=com"


suffix          "o=Sciquest,c=US"
rootdn          "cn=Manager,o=SciQuest,c=US"


# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          verona
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /usr/local/var/openldap-ldbm
# Indices to maintain
index   objectClass     eq


If anyone has any suggestions, I'm all ears. This thing has been driving me nuts. Thanks in advance.