Re: SASL tips worth adding to documentation?

[Johnny Casey <jjcasey@pobox.com>]

Aleksander Adamowski wrote:
> Hi!
> I've been playing with SASL auth in OpenLDAP 2.1.
>
> Basically, the documentation page on
> <http://www.openldap.org/doc/admin21/sasl.html> lacks most info needed
> to get SASL working in almost any setup...
>
> E.g. it's not mentioned anywhere that one needs to give unauthenticated
> users read permissions to the supportedSASLMechanisms attribute, or else
> some clients (even those shipped with OpenLDAP!) won't be able to get
> the list of supported mechs and terminate with an error before even
> trying to authenticate!
>
> So one needs something like this:
>
> access to attrs=supportedSASLMechanisms
>  by peername=192\.168\.0\..* read


better would be:

access to dn.base=""
	by * read

before any other access statements.  Of course you could be more 
restrictive and just allow specific attrs or attrs=OpenLDAProotDSE, 
which would grab all the attributes under the null(?) dn.  However, this 
object usually only occurs in one place, "dn: ".

Also useful would be:

access to dn.base="cn=Subschema"
	by * read

However, you might use a filter such as (objectclass=subschema) to 
possibly protect against the above dn changing.  cn=Subschema comes from 
the subschemaSubentry attribute under "dn: ".  This later allows tools 
like gq to query for supported objectclasses/attributes.


> to enable this for machines on local network 192.168.0.0/24.


Or just use a firewall since by limiting the above you severely limit 
LDAPv3 usefulness.

More I don't know.  Possible security implications of the above?


> The documentation page also lacks description of sasl-related directives
> (that are documented in slapd.conf manpage, but weakly).
>
> So I propose that anybody who reads this share his/her tips related to
> SASL in OpenLDAP and then we'll submit collected info for inclusion in
> the admin guide at <http://www.openldap.org/doc/admin21/sasl.html>.
>
> Best regards,