/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer -a
Installed auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin "ldapdb" , API version: 4
supports store: yes
Plugin "sasldb" , API version: 4
supports store: yes
File modified (newly created): /usr/lib64/sasl2/pluginviewer.conf
Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is missing.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer
Installed SASL (server side) mechanisms are:
CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNALInstalled auxprop mechanisms are:
...
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 4
supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled.
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
The package has been installed and the below files are there:
libldapdb.la
libldapdb.so.2.0.22
libldapdb.so.2
libldapdb.so
Please help me, how to set SASL using ldap directory.
Thks for your help.
Regards,
Gaurav GugnaniOn Tue, Feb 7, 2012 at 11:01 AM, Gaurav Gugnani <gugnanigaurav@gmail.com> wrote:
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb.
However, i want it to store information in ldap direcotry.
I've installed the corresponding package:
cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb
------------------------------------------------------
1> saslpasswd2 -c sasluser14
2> sasldblistusers2
3> service ldap stop
4> vi etc/openldap/slapd.conf
sasl-auxprops sasldb- Give proper ACL to sasluser14
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
5> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: sasldb
#auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sasldb_path: /etc/sasldb2
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldifdn: uid=sasluser14,ou=System,o=xyz
# TEST Account for SASL:
uid: sasluser14userPassword: sasluser14
ou: System
description: Special account for SASL Testing
objectClass: account
objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory.
Can any one please suggest - What changes i need to make to achieve it?
Thks a lot for your support.
Regards,
Gaurav GugnaniOn Mon, Feb 6, 2012 at 9:17 PM, Dan White <dwhite@olp.net> wrote:
On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the
issue has not yet resolved.
You should run your server in debug mode to determine what's going awry.
*Error:*
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U
sasluser7 -b 'o=xyz'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
access to attrs="userpassword"
by self write
by anonymous auth
by dn="uid=sasluser7,ou=System,o=xyz" read
access to dn.base="o=xyz"
by dn="uid=sasluser7,ou=System,o=xyz" read
by users read
access to dn.subtree="ou=Subscribers,o=xyz"
by dn="uid=sasluser7,ou=System,o=xyz" read
access to *
by self write
by dn="uid=sasluser7,ou=System,o=xyz" read
I hope it is fine.
I have 'by anonymous auth' on the following:
access to dn.base="ou=people,dc=example,dc=net"
access to attrs=userPassword
access to attrs=authzTo
access to attrs=objectClass
access to attrs=entry,uidNumber
You could determine if that's sufficient for you piecemeal wise but, again,
use debug output to figure it out. For example:
slapd -d -1 -h ldap:/// -u openldap -g openldap
See the manpage for slapd for details.Be aware that the above is a simple uuencoding of your password. It should
Moreover, we can say that the user is created:
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D
'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=sasluser7,ou=System,o=xyz> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# sasluser7, System, xyz
dn: uid=sasluser7,ou=System,o=xyz
uid: sasluser7
ou: System
description: Special account for SASL Testing
userPassword:: c2FzbVHzZXI3
now be considered publicly known.Any of the cyrus sasl* commands are most likely doing the wrong thing,
objectClass: account
objectClass: simpleSecurityObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that
be an issue point?
/u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers
-bash: sasldblistusers: command not found
which default to using the sasldb auxprop store (which uses /etc/sasldb2)
rather that slapd or ldapdb. I would not use them at this point as they're
bound to confuse the matter.
--
Dan White