[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re[2]: Problems with SASL & openLDAP

Hello Kent,

Tuesday, August 19, 2003, 4:50:29 PM, you wrote:



KS> SASL Digest-MD5 can be implemented without employing saslauthd.  But you
KS> will need a mapping in your slapd.conf.

KS> First, run a "ldapwhoami -Y digest-md5" to see the form of the SASL auth
KS> DN.  No, 'digest-md5' does not need to be in caps.

KS> Second, read section 10.2.4 and 10.2.5 of the Admin Guide to understand
KS> mapping.  You'll want to use the LDAP URL mapping style because your LDAP
KS> DN is not of the form
KS> uid=bob,ou=MemberGroupA,dc=example,dc=com

KS> might work:
KS> //with a realm ...
KS> sasl-regexp
KS>       uid=(.*),cn=.*,cn=digest-md5,cn=auth
KS>       ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)

KS> //without a realm ...
KS> sasl-regexp
KS>       uid=(.*),cn=digest-md5,cn=auth
KS>       ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)


          You have to put mech in uppercase here, cn=DIGEST-MD5, or it
          won't work.


KS> All I had to do for DIGEST-MD5 was add plaintext passwords like you have
KS> done and add correct mapping entries to slapd.conf.  No SASL DB usage or
KS> commands.  You're closer than you think to success.  Your slapd ACLs are
KS> different from mine but you can fine tune that later.

KS> Cheers,
KS> Kent Soper

KS> "You don't stop playing because you grow old ...
KS>        you grow old because you stop playing."

KS> Linux Technology Center, Linux Security
KS> phone:  1-512-838-9216
KS> e-mail:  dksoper@us.ibm.com




                                                                                                                                 
KS>                       Greg Wilson                                                                                                
KS>                       <greg.wilson@tss-ltd.co.u        To:       OpenLDAP Software List <openldap-software@OpenLDAP.org>         
KS>                       k>                               cc:                                                                       
KS>                       Sent by:                         Subject:  Problems with SASL & openLDAP                                   
KS>                       owner-openldap-software@O                                                                                  
KS>                       penLDAP.org                                                                                                
                                                                                                                                 
                                                                                                                                 
KS>                       08/19/2003 05:01 AM                                                                                        
                                                                                                                                 
                                                                                                                                 




KS> Another newbie problem

KS> I have openLDAP 2.1.22 installed on a RH9 machine with cyrus-sasl-2.1.10-4.

KS> I have added users to the openLDAP database using cleartext passwords as
KS> follows

KS> dn: cn=First User,ou=MemberGroupA,dc=example,dc=com
KS> ou: MemberGroupA
KS> cn: First User
KS> objectClass: top
KS> objectClass: person
KS> objectClass: organizationalPerson
KS> objectClass: inetOrgPerson
KS> uid: firstuser
KS> userPassword: cleartext
KS> etc.

KS> I have made an entry in sldap.conf following the guides

KS> password-hash {CLEARTEXT}

KS> # database access control definitions
KS> access to attr=userPassword
KS>           by self write
KS>           by anonymous auth
KS>           by dn.base="cn=Manager,dc=exmaple,dc=com" write
KS>           by * none

KS> If I use the standard /etc/init.d/saslauthd start a "ps -ef | grep sasl"
KS> gives

KS> root     22723     1  0 Aug18 ?        00:00:00 /usr/sbin/saslauthd -m
KS> /var/run/saslauthd/mux -a shadow

KS> When I try to change the ldappasswd I get the following

KS> [root@test root]# ldappasswd firstuser
KS> SASL/DIGEST-MD5 authentication started
KS> Please enter your password:
KS> ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
KS>         additional info: SASL(-13): user not found: no secret in database

KS> I have not yet gone onto Mapping Authentication identities to LDAP
KS> entries section of the openLDAP sasl guide.  However I am unclear wether
KS> the starting of saslauthd using the "-a shadow" shown above is correct.

KS> The sasl2 libraries are all there as expected in /usr/lib/sasl2, trying
KS> to use saslpasswd2 also gives errors!!!

KS> Am I treading the correct path! or have I made a dumbo error already.  I
KS> am leading towards a sasl/ldap config issue given the "secret in
KS> database" error given above when the ldappasswd command is entered.

KS> Cheers

KS> Greg

KS> --
KS> Support Engineer

KS> Tel:
KS> Fax:

KS> Disclaimer

KS> Please note: This email is confidential and may also be privileged.

KS> Please notify us immediately, if you are not the intended recipient.

KS> You should not copy it, forward it or use it for any purpose or disclose
KS> its contents to any person.

KS> In sending this email, the sender is not acting as an agent,
KS> representative or in any other capacity for or on behalf of TSS.

KS> We cannot accept liability for any loss or damage caused by software
KS> viruses.








-- 
Best regards,
 Alexander                            mailto:lan_mailing@startatom.ru