[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fw: on SASL



Turbo Fredriksson wanted us to know:

>http://www.bayour.com/LDAPv3-HOWTO.html

Very impressive piece of work.  I have some questions though.  I am
working on a Mandrake 8.1 box.  Cyrus-SASL with the libraries for
digest-md5, plain, and cram-md5 are installed (Mandrake makes each a
seperate rpm, dunno if others do that).

This ties LDAP + TLS + SASL + Kerberos together to get LDAP v3.  
According to documentation that I've found on the web, I should be 
able to get secure replication using just SASL.  Is that correct?  Even
if it's not correct, I should still be able to get SASL working
properly.

Now, I know that the following does not work.  What I'm looking for is
pointers as to why.  In the master ldap config file, I define three
replicas.  The first is a simple bind and it works well.  The second is
a simple bind to an alternate port and it works well.  The third is my
attempt to use SASL and it's failing.  Does anything look obviously
wrong?

Works:
replogfile      /var/log/ldap/replicate-Grand.log
replica         host=gteshome:389
  <snip>
replogfile      /var/log/ldap/replicate-District2.log
replica         host=gteshome:50389
  <snip>

Doesn't work:
replogfile      /var/log/ldap/replicate-District3.log
replica         host=gteshome:53389
                suffix="ou=District3,o=mrball,c=US"
                bindmethod=sasl
                binddn="uid=tlyons.mrball.net"
                saslmech=DIGEST-MD5
                authcId="tlyons.mrball.net"
                authzId="tlyons.mrball.net"
                realm="gteshome.mrball.net"
                credentials="todd"

In the config file for the slave ldap server for port 53389, I have:
updatedn	"UID=TLYONS.MRBALL.NET+REALM=GTESHOME.MRBALL.NET"

In all documentation that I've seen, it's always all caps like this.
Why?  When I create my SASL users, it is case-sensitve.  I assume that
means it's important.  I did try it all lowercase, but it didn't work
either.

For ACL's, I have:
access to attrs=userPassword,lmpassword,ntpassword
        by self write
        by dn="UID=TLYONS.MRBALL.NET" write
        by * none
 
access to *
        by self read
        by dn="UID=TLYONS.MRBALL.NET" write
        by * search

[root@gteshome root]# sasldblistusers
user: tlyons.mrball.net realm: gteshome.mrball.net mech: DIGEST-MD5
user: tlyons.mrball.net realm: gteshome.mrball.net mech: PLAIN
user: tlyons.mrball.net realm: gteshome.mrball.net mech: CRAM-MD5

These were created with:
[root@gteshome root]# echo "todd" | saslpasswd -p -a slapd -u gteshome.mrball.net tlyons.mrball.net

There was some confusion on my part if I had to create these users with
"-a slapd" or "-a ldap" or just blank, which should default to "-a sasl".
I figured that out by stracing it :)  It also was inferred that the
entries in the SASL db needed to be lower-case.  Is that correct?  I have 
a /usr/lib/sasl/sasl.conf, ldap.conf, and slapd.conf, all three of which 
have had various incarnations of:
    pwcheck_method: sasldb
OR
    pwcheck_method: sasl
OR
    pwcheck_method: digest
OR
    pwcheck_method: DIGEST-MD5
and a few others.  Do any of them look right?  Remember, I'm just trying 
to use SASL.

If I have some basic misunderstandings of SASL, please put me on the
path to enlightenment.  In the meantime, I'm studying your HowTo.
-- 
Blue skies...		Todd
| Get a bigger hammer!   |  All vendors suck, but different ones  |
| http://www.mrball.net  |  suck less in different applications.  |
| http://faq.mrball.net  |                --Andy Walden on NANOG  |