[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication



On 23/09/10 12:27 -0500, Erik Lotspeich wrote:
I have an OpenLDAP installation that I use as an addressbook.  I do not
use OpenLDAP for authentication on my network.  I am using it on an
internal network with anonymous read-only access.

I would like to require user-level authentication and I would like to
authenticate access to the LDAP database using system users in
/etc/passwd.  Is this possible?

Yes. How flexible that support may be depends on whether or not LDAPv3 is
supported by your addressbook LDAP client (see below).

For authorization, I would like a few users to have read/write access
and others to be read-only.  I would like to disallow anonymous access
to the database.

I do:

access to dn.base="" by * read

(which is necessary for SASL)

and then a catchall of:

access to *
    . . .
    by self read
    by * none

And above those two statements I have several more specific ACLs where
needed, such as ACLs for accessing address books based on group membership.

I have SSL/TLS set up now and that works; I would like to be able to
turn off all non-SSL access to the database once the
authentication/authorization is set up.

I don't know the best way to accomplish that.


You can authenticate against PAM by using saslauthd. Assuming that your
client supports LDAPv3, you can authentication against saslauthd by way of
SASL binds using the PLAIN (or LOGIN) mechanism.

You'll need to create/edit /usr/lib/sasl2/slapd.conf (or
/etc/sasl2/slapd.conf depending on your SASL version and operating system
defaults). Note that this is the SASL slapd.conf config file, not the
OpenLDAP slapd.conf configuration file. Its contents might be:

pwcheck_method: saslauthd
mech_list: plain login gssapi external
auxprop_plugin: slapd     (not necessary on newer versions of openldap)

You will need to install saslauthd and start it with a '-a pam' option.
If your slapd process does not run as the root user, you will need to
verify that the user or group that your slapd process runs as can access
the saslauthd unix domain socket, typically found somewhere underneath
/var.

SASL binds using PLAIN should then authentication against pam (with a pam
service name of 'slapd').

To allow plaintext SASL authentication, you'll need:

sasl-secprops none

in your openldap config (not your sasl config)

To test your saslauthd/pam authentication outside of slapd, try:

testsaslauthd -u username -p password -s slapd

If that works, then:

ldapwhoami -Y plain -U username -H ldap://ldap.example.com

should also.

If so, your authentication identity will probably be something like:

uid=username,cn=plain,cn=auth

See chapter 15 of the OpenLDAP Software 2.4 Administrator's Guide on how to
map such identities to DNs within your directory, which you may or may not
wish to do.

If your clients do not support LDAPv3, but instead require simple binds for
authentication, you'd have to create LDAP entries for all your users, and
insert a userPassword attribute into each entry with the format of:

userPassword: {SASL}username@domainname

You'll also need to have compiled your slapd with the --enable-spasswd
configure option.

--
Dan White