[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Common Address Book



On Mon, Nov 17, 2003 at 07:02:48AM +0800, J Michasel Gilks wrote:

> Still here and still trying.
> I have added the evolutionperson.schema to the directory and updated the
> user password using slappassword to generate the password and ldapmodify
> to insert it into the directory.
> Unfortunately this has brought some strange authentication stuff with
> it.
> From the command line I can now see everything in the directory by
> entering a blank password, although this is probably because of the ACL 
> access to * by * read
> However if I enter a password for my user, call him mike, I get the
> message 
> ldap_bind: Invalid credentials

It seems likely that you are using the wrong parameters to specify
the user to the client software.

As Luca Scamoni said earlier, you also need to understand the
difference between TLS/SSL and SASL. Let's start with SASL:

	SASL is the Simple Authenticatiuon and Security Layer.
	When used in OpenLDAP it is implemented with the Cyrus SASL
	library. SASL provides a range of high-security authentication
	methods. If you want to use it you should read Chapter 10 of
	the OpenLDAP admin guide:

	http://www.openldap.org/doc/admin21/sasl.html

	However, before going into that level of complexity, I would
	first consider whether you really need high security for your
	read-only clients. Do you need any at all? Directories tend to
	mostly hold public-knowledge info, and are there to make it
	widely available. If you don't need to protect the data from
	being read then don't bother with client usernames and
	passwords at all.

	When doing data updates you probably do want more security.
	SASL is one way to provide this, but in the simple case it
	stores usernames and passwords *outside* the directory. If
	this is acceptable, try creating a SASL user (do this as root):

		saslpasswd2 -c fred

	Note that your slapd process will have to run as root to be
	able to read the SASL database. You should now be able to
	authenticate using parameters like '-U fred -W' on the
	ldapsearch commands etc.

	Even having got this far, there are more things to understand
	about SASL before you can deploy it widely. I would advise
	avoiding it until you understand the rest.

Now let's look at TLS/SSL:

	Transport Level Security is the newer form of Secure Sockets
	Layer. It is a service that can be negotiated on top of a
	basic LDAP connection to provide encryption and
	authentication.

	In the most common usage, an X.509 certificate is generated
	for the LDAP server so that clients can verify that they have
	contacted the real server and to allow encryption to be set
	up.

	TLS can also do authentication. I suggest ignoring this for
	now.

And finally, authentication:

	Assuming you are not going to use SASL (which many
	non-OpenLDAP LDAP clients don't support anyway), that means
	that you will be using some variation on 'simple bind'.

	OpenLDAP clients default to using SASL (which is the correct
	behaviour defined in the standard) so if you don't intend to
	use it you must always use the -x flag on OpenLDAP commands.

	Now you need to make some usernames and passwords. The
	important thing to note here is that usernames are DNs
	(Distinguished Names). Thus, you might have a username
	'cn=readonly, o=megacorp, c=au' which is represented by an
	entry in the Directory. To bind as that user and do a search,
	use a command like this:

	ldapsearch -x -D 'cn=readonly, o=megacorp, c=au' -W -b 'o=megacorp, c=au' -s sub 'objectclass=*'

	Note the use of -D to introduce the username.

	Under this scheme, all usernames are part of the Directory
	data. The only exception is the directory manager which can be
	specified in slapd.conf directly and does not have to be in
	the Directory itself.

> Evolution will not accept the blank password and continues requesting a
> password until I cancel the message box.
> One more thing I just noticed, the userPassword reported from the
> command line is different to the userPassword being shown in GQ.

It may be that GQ is decoding the Base64 format. If the command-line
tools show an attribute name followed by *two* colons then the data is
Base64 encoded. Use the attached script to decode it.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------
#!/usr/bin/perl -w
#
# decode-base64

use MIME::Base64;

while (<>) {
	chomp;
	my ($res) = decode_base64($_);
	print $res;
	print "\n";
}