SASL Digest-MD5 can be implemented without employing saslauthd. But you
will need a mapping in your slapd.conf.
First, run a "ldapwhoami -Y digest-md5" to see the form of the SASL auth
DN. No, 'digest-md5' does not need to be in caps.
Second, read section 10.2.4 and 10.2.5 of the Admin Guide to understand
mapping. You'll want to use the LDAP URL mapping style because your LDAP
DN is not of the form
uid=bob,ou=MemberGroupA,dc=example,dc=com
might work:
//with a realm ...
sasl-regexp
uid=(.*),cn=.*,cn=digest-md5,cn=auth
ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)
//without a realm ...
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)
All I had to do for DIGEST-MD5 was add plaintext passwords like you have
done and add correct mapping entries to slapd.conf. No SASL DB usage or
commands. You're closer than you think to success. Your slapd ACLs are
different from mine but you can fine tune that later.
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: dksoper@us.ibm.com
Greg Wilson
<greg.wilson@tss-ltd.co.u To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
k> cc:
Sent by: Subject: Problems with SASL & openLDAP
owner-openldap-software@O
penLDAP.org
08/19/2003 05:01 AM
Another newbie problem
I have openLDAP 2.1.22 installed on a RH9 machine with cyrus-sasl-2.1.10-4.
I have added users to the openLDAP database using cleartext passwords as
follows
dn: cn=First User,ou=MemberGroupA,dc=example,dc=com
ou: MemberGroupA
cn: First User
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: firstuser
userPassword: cleartext
etc.
I have made an entry in sldap.conf following the guides
password-hash {CLEARTEXT}
# database access control definitions
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=exmaple,dc=com" write
by * none
If I use the standard /etc/init.d/saslauthd start a "ps -ef | grep sasl"
gives
root 22723 1 0 Aug18 ? 00:00:00 /usr/sbin/saslauthd -m
/var/run/saslauthd/mux -a shadow
When I try to change the ldappasswd I get the following
[root@test root]# ldappasswd firstuser
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-13): user not found: no secret in database
I have not yet gone onto Mapping Authentication identities to LDAP
entries section of the openLDAP sasl guide. However I am unclear wether
the starting of saslauthd using the "-a shadow" shown above is correct.
The sasl2 libraries are all there as expected in /usr/lib/sasl2, trying
to use saslpasswd2 also gives errors!!!
Am I treading the correct path! or have I made a dumbo error already. I
am leading towards a sasl/ldap config issue given the "secret in
database" error given above when the ldappasswd command is entered.
Cheers
Greg
--
Support Engineer