[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL Authentication & OpenLDAP 2.0.18
Hi All,
While testing SASL authentication for OpenLDAP (2.0.18) I have
the following problem: when using 'ldapsearch' whith SASL auth
(i.e.: 'ldapsearch -LLL -U myuid -b "dc=mydc"') the user is
properly authenticated.
If instead I force ldapsearach to "Simple Auth" (whith the -x
flag, i.e.:
ldapsearch -LLL -D "cn=My Name,ou=Friends,o=myorg,dc=mydc"
-b "dc=Pittypanda" -W -x
for example), then it wont go through SASL and find the pass
in sasldb for the user - fairly normal for me. But the thing
is that (at least on my install) if I give as password:
{SASL}myuid
then it authenticates, meaning: OpenLDAP says it's the correct
password! ({SALS}myuid is the value given for userpassword to
OpenLDAP - myuid being in the sasldb: to me it meant that it
had to authenticate through SASL..).
Am I totally misconfiguring/missing something, or else something
is really wrong?
Actually I have tried to reproduce the same with version 2.0.7
on a RedHat 7.1 and couldnt. Instead whith the 2.0.18 I had
this behaviour on RedHat 6.2 and 7.1.
Here under is the slapd configuration used (exactly the same
for the tests on the 2.0.7 and the 2.0.18):
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
defaultaccess none
access to dn="^$" by * read
access to * by dn="uid=admin + realm=ldapserver" read by * auth
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap/var/slapd.pid
argsfile /usr/local/openldap/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=mydc"
rootdn "uid=admin + realm=ldapserver"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/openldap/var/openldap-ldbm
# Indices to maintain
index objectClass eq
#
# -- General ACL.
#
access to attr="userpassword"
by self write
by * compare
access to dn="cn=[^,]+,ou=[^,]+,o=([^,]+),dc=mydc"
by dn="cn=[^,]+,ou=[^,]+,o=$1,dc=mydc" read
by dn="o=$1,dc=mydc" write
by * auth
access to dn="ou=[^,]+,o=([^,]+),dc=mydc"
by dn="cn=[^,]+,ou=[^,]+,o=$1,dc=mydc" read
by dn="o=$1,dc=mydc" write
by * auth
and when adding a user password it was following this format:
...
uid: myuid
userpassword: {SASL}myuid
...
Thanks in advance for the help!
Regards,
Stéphane
PS.: with the ACLs given in this conf any user (except 'admin')
wont be able to do anything but authenticate himself if he is
given an "SASL type of account".. but he shouldnt be able to
read anything as well, if simply forcing his client to bind
using simple auth (??) and giving {SASL}myuid as password?