[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP and SASL
- To: Dieter Kluenter <dieter@dkluenter.de>
- Subject: Re: OpenLDAP and SASL
- From: Jittinan Suwanrueangsri <jittinan2@gmail.com>
- Date: Mon, 07 Sep 2009 12:17:43 +0700
- Cc: openldap-software@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type; bh=jDHqcGGrXfME3cSVKZi+SeXwnwKdPFKuPXja7rn59pY=; b=WDrl/3n3oy0nh7jmOOflzJa2ZkbSQsmjRp24yH5OwgyYUIyPp7ad9qVKzKooDHjFnB kcszrOA45qKo/aSiB1/YiIdxZBI/8H09HxP68AaM+WfMwr+eek749oviOgU8sFZNb3v/ FWxVjH3JeR0Wx/R9s0XrsTKkGMASAHkZBQwkM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; b=sCw+DsmNpePS00UQ5am5KRr1bzvLVBxl1zj4O8ZO9w1uknzMO+XlZ5jdWHBarJR8gB wJB9prNwayxHcjVuSPVrP95xzwwiE/yNFE/dr3orIiGjRAnWpOfywtYC2C05i+wRRO/U GBYc/C7jCHmCJyC4i3MQKsaYExQd6c0wt9IUA=
- In-reply-to: <874ori7u3s.fsf@rubin.avci.de>
- References: <4A9FF58C.5040505@gmail.com> <874ori7u3s.fsf@rubin.avci.de>
- User-agent: Thunderbird 2.0.0.23 (Windows/20090812)
Dieter Kluenter wrote:
Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
Hi
I have seen configuration which sasl get password from sasldb .I must
run saslpasswd2 to create user and password for authentication but Is
it possible to configure openldap and sasl verify authentication by
getting password from openldap self like it happen in simple
binding(userPassword attribute).How can I do it?
There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w
secret -H ldap://myhost -b dc=example,dc=com ...
All you have to do is to set the userPassword value as plaintext,
otherwise the challenge cannot be created. If you want to parse the
sasl authentication string to a DN, than you have to define a
authz-regexp in in slapd.conf(5) and the user has to have a uid
attribute.
-Dieter
I still can not
authenticate by using password from userPassword attribute .I also
attach 2 configuration files with this email. Are there any missing
configuration?
|
# slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel stats
modulepath /usr/local/libexec/openldap
moduleload back_hdb
moduleload ppolicy
###########
# SSL/TLS #
###########
#TLSCACertificateFile /CA/cacert.pem
TLSCACertificatePath /CA/
TLSCertificateFile /usr/local/etc/openldap/cert/ldap.example.com.cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.example.com.key.pem
TLSVerifyClient try
###########
# SASL
###########
authz-regexp
uid=([^,]+).*,cn=auth
uid=$1,ou=Users,dc=example,dc=com
authz-regexp
email=([^,]+),cn=([^,]+).*,c=TH$
uid=$2,ou=Users,dc=example,dc=com
sasl-realm example.com
sasl-secprops none
##########################
# Database Configuration #
##########################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap/example.com
index objectClass eq
index cn sub,eq
########
# ACLs #
########
#access to attrs=uid
# by anonymous read
# by users read
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to dn.subtree="ou=System,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
by users read
access to *
by self write
by users read
by * none
database hdb
suffix "dc=demo,dc=net"
rootdn "cn=admin,dc=demo,dc=net"
rootpw secret
directory /var/lib/ldap/demo.net
index objectClass eq
index cn eq,sub,pres,approx
index uid eq,sub,pres
access to attrs=userPassword
by anonymous auth
by self write
access to dn.sub="dc=demo,dc=net"
by dn.sub="dc=demo,dc=net" read
#This is the root of the directory tree
dn: dc=example,dc=com
description: Example.com, your trusted non-existent corporation.
dc: example
o: Example.com
objectClass: top
objectClass: dcObject
objectClass: organization
#Subtree for users
dn: ou=Users,dc=example,dc=com
ou: Users
description: Example.com Users
objectClass: organizationalUnit
#Subtree of Groups
dn: ou=Groups,dc=example,dc=com
ou: Groups
description: Example.com Groups
objectClass: organizationalUnit
#Subtree of System account
dn: ou=System,dc=example,dc=com
ou: System
description: Special accounts used by software applications.
objectClass: organizationalUnit
#
#USERS
#
#Matt Butcher
dn: uid=matt,ou=Users,dc=example,dc=com
ou: Users
#Name info:
uid: matt
cn: Matt Butcher
sn: Butcher
givenName: Matt
givenName: Matthew
displayName: Matt Butcher
#Work info:
title: System Integrator
description: System Integration and IT for Example.com
employeeType: Employee
departmentNumber: 001
employeeNumber: 001-08-98
mail: mbutcher@example.com
mail: matt@example.com
roomNumber: 301
telephoneNumber: +1 555 555 4321
mobile: +1 555 555 6789
st: Illinois
l: Chicago
street: 1234 Cicero Ave.
#Home info:
homePhone: +1 555 555 9876
homePostalAddress: 1234 home street $ Chicago,IL $ 60699-1234
#Misc:
userPassword: secret
preferredLanguage: en-us:en-gb
#Object Classes:
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
#Barbara Jensen:
dn: uid=barbara,ou=Users,dc=example,dc=com
ou: Users
uid: barbara
sn: Jensen
cn: Barbara Jensen
givenName: Barbara
displayName: Barbara Jensen
mail: barbara@example.com
userPassword: 12345
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
#LDAP Admin Group:
dn: cn=Ldap Admins,ou=Groups,dc=example,dc=com
cn: Ldap Admins
ou: Groups
description: Users who are LDAP Administrators
uniqueMember: uid=barbara,dc=example,dc=com
uniqueMember: uid=matt,dc=example,dc=com
objectClass: groupOfUniqueNames
#Special Account for Authentication:
dn: uid=authenticate,ou=System,dc=example,dc=com
uid: authenticate
ou: System
description: Special account for authenticating users
userPassword: secret
objectClass: account
objectClass: simpleSecurityObject