[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap+sasl confusion

To: Seau Yeen Su <seauyeen@mgrc.com.my>
Subject: Re: openldap+sasl confusion
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 26 Jun 2009 18:43:47 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <bc1a031a0906242347q7d5ca041yff5b9da83b19de24@mail.gmail.com>
References: <bc1a031a0906242347q7d5ca041yff5b9da83b19de24@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

Seau Yeen Su wrote:
> 
> 1. After using saslpasswd2 to create the username and password in sasl
> database, do i need to add the entry into ldap database with slappasswd
> command? When i used slapadd command and it prompts for password, does
> it authenticate against sasl database or ldap database?

I assume you're talking about SASL bind with password-based mechs.

It depends whether you want in-directory passwords (mainly userPassword
with clear-text password as attribute value) or not.

> 2. Do i need to issue saslpasswd2 for each and every user that i want to
> add into ldap database and to be authenticated via ldap? 

Only if you don't store the passwords in the directory.

> 3. In the slapd.conf file, under rootpw, am i supposed to use the word
> "secret" or the cleartext password that i keyed in using saslpasswd2 or
> some encrypted password?

As values for attribute userPassword rootpw can be hashed or clear-text.
If you also want to bind as rootdn with SASL bind with mech CRAM-MD5 or
DIGEST-MD5 then it has to be clear-text. Otherwise it can be hashed
(e.g. generated/hashed with command-line tool slappasswd).

> 4. What is the difference between sasl-regexp and authz-regexp?

authz-regexp is the recent keyword in slapd.conf for this.

Example:

authz-regexp  "uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5),cn=auth"
  "ldap:///ou=schulung??sub?(uid=$1)"

> 5. Let's say i issued saslpasswd2 -c admin to create admin as the LDAP
> administrator. Does this mean in the slapd.conf, the rootdn should be
> admin or can it be another name, that will be mapped via
> sasl-regexp/authz-regexp? (Which does it use anyway between these 2 :
> sasl-regexp & authz-regexp?)

SASL bind with digest password mech only knows a plain user-ID. So you
need an appropriate authz-regexp in slapd.conf to map it to a DN of an
existing entry.

> > 6. Previously I set up without sasl and it was rather straightforward,
> merely using slappasswd and save the encyrpted pasword into slapd.conf.

If you used a hashed password in rootpw and you did nothing else then I
doubt you could use that with SASL/DIGEST-MD5 bind.

Don't forget to double check the access control rule for userPassword.
Should contain a clause to grant auth access to anyone.

Example:

access to attrs=userPassword
    by group="cn=Password Admins,ou=Groups,ou=schulung" =wx
    by self =wx
    by * =x

Ciao, Michael.

Follow-Ups:
- Re: openldap+sasl confusion
  - From: Seau Yeen Su <seauyeen@mgrc.com.my>

References:
- openldap+sasl confusion
  - From: Seau Yeen Su <seauyeen@mgrc.com.my>

Prev by Date: Re: monitor mirror mode
Next by Date: MirrorMode VS load balancing
Index(es):
- Chronological
- Thread