[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re[2]: Problems with SASL & openLDAP
Hello Kent,
Tuesday, August 19, 2003, 4:50:29 PM, you wrote:
KS> SASL Digest-MD5 can be implemented without employing saslauthd. But you
KS> will need a mapping in your slapd.conf.
KS> First, run a "ldapwhoami -Y digest-md5" to see the form of the SASL auth
KS> DN. No, 'digest-md5' does not need to be in caps.
KS> Second, read section 10.2.4 and 10.2.5 of the Admin Guide to understand
KS> mapping. You'll want to use the LDAP URL mapping style because your LDAP
KS> DN is not of the form
KS> uid=bob,ou=MemberGroupA,dc=example,dc=com
KS> might work:
KS> //with a realm ...
KS> sasl-regexp
KS> uid=(.*),cn=.*,cn=digest-md5,cn=auth
KS> ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)
KS> //without a realm ...
KS> sasl-regexp
KS> uid=(.*),cn=digest-md5,cn=auth
KS> ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)
You have to put mech in uppercase here, cn=DIGEST-MD5, or it
won't work.
KS> All I had to do for DIGEST-MD5 was add plaintext passwords like you have
KS> done and add correct mapping entries to slapd.conf. No SASL DB usage or
KS> commands. You're closer than you think to success. Your slapd ACLs are
KS> different from mine but you can fine tune that later.
KS> Cheers,
KS> Kent Soper
KS> "You don't stop playing because you grow old ...
KS> you grow old because you stop playing."
KS> Linux Technology Center, Linux Security
KS> phone: 1-512-838-9216
KS> e-mail: dksoper@us.ibm.com
KS> Greg Wilson
KS> <greg.wilson@tss-ltd.co.u To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
KS> k> cc:
KS> Sent by: Subject: Problems with SASL & openLDAP
KS> owner-openldap-software@O
KS> penLDAP.org
KS> 08/19/2003 05:01 AM
KS> Another newbie problem
KS> I have openLDAP 2.1.22 installed on a RH9 machine with cyrus-sasl-2.1.10-4.
KS> I have added users to the openLDAP database using cleartext passwords as
KS> follows
KS> dn: cn=First User,ou=MemberGroupA,dc=example,dc=com
KS> ou: MemberGroupA
KS> cn: First User
KS> objectClass: top
KS> objectClass: person
KS> objectClass: organizationalPerson
KS> objectClass: inetOrgPerson
KS> uid: firstuser
KS> userPassword: cleartext
KS> etc.
KS> I have made an entry in sldap.conf following the guides
KS> password-hash {CLEARTEXT}
KS> # database access control definitions
KS> access to attr=userPassword
KS> by self write
KS> by anonymous auth
KS> by dn.base="cn=Manager,dc=exmaple,dc=com" write
KS> by * none
KS> If I use the standard /etc/init.d/saslauthd start a "ps -ef | grep sasl"
KS> gives
KS> root 22723 1 0 Aug18 ? 00:00:00 /usr/sbin/saslauthd -m
KS> /var/run/saslauthd/mux -a shadow
KS> When I try to change the ldappasswd I get the following
KS> [root@test root]# ldappasswd firstuser
KS> SASL/DIGEST-MD5 authentication started
KS> Please enter your password:
KS> ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
KS> additional info: SASL(-13): user not found: no secret in database
KS> I have not yet gone onto Mapping Authentication identities to LDAP
KS> entries section of the openLDAP sasl guide. However I am unclear wether
KS> the starting of saslauthd using the "-a shadow" shown above is correct.
KS> The sasl2 libraries are all there as expected in /usr/lib/sasl2, trying
KS> to use saslpasswd2 also gives errors!!!
KS> Am I treading the correct path! or have I made a dumbo error already. I
KS> am leading towards a sasl/ldap config issue given the "secret in
KS> database" error given above when the ldappasswd command is entered.
KS> Cheers
KS> Greg
KS> --
KS> Support Engineer
KS> Tel:
KS> Fax:
KS> Disclaimer
KS> Please note: This email is confidential and may also be privileged.
KS> Please notify us immediately, if you are not the intended recipient.
KS> You should not copy it, forward it or use it for any purpose or disclose
KS> its contents to any person.
KS> In sending this email, the sender is not acting as an agent,
KS> representative or in any other capacity for or on behalf of TSS.
KS> We cannot accept liability for any loss or damage caused by software
KS> viruses.
--
Best regards,
Alexander mailto:lan_mailing@startatom.ru