[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl/plain with hashed password not working



On 10/02/13 09:08 -0400, btb wrote:
i've enabled the plain sasl mech, and testing with ldapwhoami works, but only if the userpassword is left as plaintext. if hashing [ssha] is used, it fails. a simple bind succeeds. what am i doing wrong?

ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx'
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: Password verification failed

524b7989 ==>slap_sasl2dn: converting SASL name uid=flash,cn=plain,cn=auth to a DN 524b7989 ==> rewrite_context_apply [depth=1] string='uid=flash,cn=plain,cn=auth' 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_context_apply [depth=1] res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'} 524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" -> "uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 slap_parseURI: parsing uid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> 524b7989 <==slap_sasl2dn: Converted SASL name to uid=flash,ou=people,ou=accounts,dc=example,dc=com

libsasl2, with default configuration, requires that the password be stored
in cleartext, even for PLAIN.

To support {ssha} in this scenario, I recommend you configure your SASL
slapd.conf file to authenticate against saslauthd, which in turn should be
configured to perform ldap simple (non-sasl) authentication against slapd.
Think of it as a two-level deep recursive authentication.

Create a slapd.conf SASL file (e.g. /usr/lib/sasl2/slapd.conf) with these
contents:

  pwcheck_method: saslauthd
  # Disallow shared secret mechanisms
  mech_list: PLAIN LOGIN GSSAPI EXTERNAL

Run saslauthd with the ldap backend. Run in debug mode to trouble shoot.
If slapd is running non-root, modify the permissions to the saslauthd mux
(e.g. /var/run/saslauthd/mux) to allow slapd to access it.

See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php
The saslauthd manpage
saslauthd/LDAP_SASLAUTHD (in the cyrus sasl source)

--
Dan White