[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Got error while enabling SASL



Hello Dan,

Thks a lot for making things worked.

I'm jotting down the steps which i executed to make SASL work:

Steps to make SASL configuration working:
---------------------------------------------------------------------

1> Install the following packages:
   - cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm
   - cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
  
2> Create sasl2/slapd.conf
   vi /usr/lib64/sasl2/slapd.conf
  
   [root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf
   # SASL Configuration
   pwcheck_method: auxprop
   auxprop_plugin: slapd
   mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5


3> Modify $LDAP_HOME/etc/openladp/slapd.conf  
   password-hash  {CLEARTEXT}
   authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
  
   #ACL
   access to attrs="userpassword"
           by anonymous auth
           by self write
           by group="cn=LDAP Admins,ou=Groups,o=xyz" write
           by dn="uid=replicator,ou=System,o=xyz" read
   access to dn.base="o=xyz"
           by group="cn=LDAP Admins,ou=Groups,o=xyz" write
           by dn="uid=serviceusr,ou=System,o=xyz" read
           by dn="uid=monitorusr,ou=System,o=xyz" read
           by dn="uid=replicator,ou=System,o=xyz" read
           by users read
   access to dn.subtree="ou=Subscribers,o=xyz"
           by group="cn=LDAP Admins,ou=Groups,o=xyz" write
           by dn="uid=serviceusr,ou=System,o=xyz" write
           by dn="uid=monitorusr,ou=System,o=xyz" write
           by dn="uid=replicator,ou=System,o=xyz" read
   access to dn.subtree="ou=System,o=xyz"
           by anonymous auth
           by self write
           by group="cn=LDAP Admins,ou=Groups,o=xyz" write
           by dn="uid=replicator,ou=System,o=xyz" read
   access to *
           by self write
           by group="cn=LDAP Admins,ou=Groups,o=xyz" write
           by dn="uid=replicator,ou=System,o=xyz" read

On execution of command:
ldapsearch -Y DIGEST-MD5 -U serviceusr  -b 'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'

Its clearly displaying in the log:
.....
conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs" mech=DIGEST-MD5 sasl_ssf=128 ssf=128
do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs" sasl_ssf=128

.....

Now, i wanted to confirm is these are the only steps Or Am i missing something?
How do i confirm that SASL has been enabled and its working fine?

Plz provide some input on this.

Thanks and Regards,
Gaurav Gugnani


On Thu, Feb 9, 2012 at 1:48 AM, Dan White <dwhite@olp.net> wrote:
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote:
Thks Dan, it worked.

Now hopefully last query from my side (sorry to bother you so much)
As i gave:
   access to dn.subtree="ou=System,o=xyz"
        by dn="uid=sasluser21,ou=System,o=xyz" read
        by anonymous auth

*So, will giving anonymous privilege any issue? *

I read following:
Next is by anonymous auth. This phrase grants an anonymous user (one who
has not yet authenticated) permission to authenticate using a password.
More accurately, it indicates that when a user submits a request for
authentication, the directory server is allowed to perform an
authentication operation (which amounts to comparing the submitted password
with the value in the userPassword attribute for the corresponding user's
entry).

What is its impact, Please put some light on it?

Chapter 8 of the OpenLDAP Administrator's Guide has more explanation.

--
Dan White