[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP as a SASL backend

To: openldap-software@openldap.org
Subject: OpenLDAP as a SASL backend
From: "Zohar Lev Shani" <levshani5252@gmail.com>
Date: Thu, 11 Oct 2007 12:13:37 +0200
Content-disposition: inline

Hello list

I am trying to use OpenLDAP also as a repository of the user and
password to the SASL mechanism.
The problem I am facing is that it only works if the userPassword is
kept in clear text and not in a hashed form. I would like to use the
hashed form because my application has a proprietary backend where the
data goes over the wire and for that I need userPassword attribute to
be not in clear text.

Below is what I tried to do, based on OpenLDAP 2.3.24 running on RH4
U3 (Nahant).

Any help will be appreciated.

Zohar


> ./configure --prefix=`pwd`

I added to the default slapd.conf with this entry
authz-regexp "uid=([^,]*)"  "cn=$1,cn=users,dc=my-domain,dc=com"

The run command
> ./slapd -f slapd.conf -d -1 -h ldap://localhost:9999 1>& slapd.log 2>&1 &

Available SASL mechanism
> ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base -LLL
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM

Data I am going to add
> cat ./new_user.ldif
dn: dc=my-domain,dc=com
objectclass: dcObject
objectclass: organization
o: my-org
dc: my-domain

dn: cn=Manager,dc=my-domain,dc=com
objectclass: organizationalRole
cn: Manager

dn: cn=users,dc=my-domain,dc=com
objectclass: organizationalRole
cn: users

dn: cn=user1,cn=users,dc=my-domain,dc=com
objectclass: organizationalRole
objectclass: simpleSecurityObject
cn: user1
userPassword: {MD5}pyLGPbjshiWvbPccuMLZOQ==
#password: pass1

dn: cn=user3,cn=users,dc=my-domain,dc=com
objectclass: organizationalRole
objectclass: simpleSecurityObject
cn: user3
userPassword: {CLEARTEXT}pass3

> ldapadd -h localhost:9999 -x -w secret -D cn=Manager,dc=my-domain,dc=com -f ./new_user.ldif

> ldapsearch -h localhost:9999 -x -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
dn: cn=user1,cn=users,dc=my-domain,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: user1
userPassword:: e01ENX1weUxHUGJqc2hpV3ZiUGNjdU1MWk9RPT0=

> ldapsearch -h localhost:9999 -Y DIGEST-MD5 -U user1 -w pass1 -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database

> ldapsearch -h localhost:9999 -Y DIGEST-MD5 -U user3 -w pass3 -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
SASL/DIGEST-MD5 authentication started
SASL username: user3
SASL SSF: 128
SASL installing layers
dn: cn=user1,cn=users,dc=my-domain,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: user1
userPassword:: e01ENX1weUxHUGJqc2hpV3ZiUGNjdU1MWk9RPT0=

Follow-Ups:
- Re: OpenLDAP as a SASL backend
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: ldapsearch on local attributes with slapo-translucent
Next by Date: Re: ldapsearch on local attributes with slapo-translucent
Index(es):
- Chronological
- Thread