[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and SASL

Dieter Kluenter wrote: 
Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:

  
Hi

I have seen configuration which sasl get password from sasldb .I must
run saslpasswd2 to create user and password for authentication but Is
it possible to configure openldap and sasl verify authentication by
getting password from openldap self like it happen in simple
binding(userPassword attribute).How can I do it?
    

There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w
secret -H ldap://myhost -b dc=example,dc=com ...
All you have to do is to set the userPassword value as plaintext,
otherwise the challenge cannot be created. If you want to parse the
sasl authentication string to a DN, than you have to define a
authz-regexp in in slapd.conf(5) and the user has to have a uid
attribute.

-Dieter
I still can not authenticate by using password from userPassword attribute .I also attach 2 configuration files with this email. Are there any missing configuration?

 
# slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel stats
modulepath /usr/local/libexec/openldap
moduleload back_hdb
moduleload ppolicy
###########
# SSL/TLS #
###########
#TLSCACertificateFile /CA/cacert.pem
TLSCACertificatePath /CA/
TLSCertificateFile /usr/local/etc/openldap/cert/ldap.example.com.cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.example.com.key.pem
TLSVerifyClient try
###########
# SASL
###########
authz-regexp 
	uid=([^,]+).*,cn=auth
	uid=$1,ou=Users,dc=example,dc=com
authz-regexp
	email=([^,]+),cn=([^,]+).*,c=TH$
	uid=$2,ou=Users,dc=example,dc=com
sasl-realm example.com
sasl-secprops none
##########################
# Database Configuration #
##########################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap/example.com
index objectClass eq
index cn sub,eq
########
# ACLs #
########
#access to attrs=uid
#	by anonymous read
#	by users read
access to attrs=userPassword
	by self write
	by anonymous auth
	by * none
access to dn.subtree="ou=System,dc=example,dc=com"
	by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
	by users read

access to *
	by self write
	by users read
	by * none



database hdb
suffix "dc=demo,dc=net"
rootdn "cn=admin,dc=demo,dc=net"
rootpw secret
directory /var/lib/ldap/demo.net
index objectClass eq
index cn eq,sub,pres,approx
index uid eq,sub,pres

access to attrs=userPassword
	by anonymous auth
	by self write
access to dn.sub="dc=demo,dc=net" 
	by dn.sub="dc=demo,dc=net"  read

#This is the root of the directory tree
dn: dc=example,dc=com
description: Example.com, your trusted non-existent corporation.
dc: example
o: Example.com
objectClass: top
objectClass: dcObject
objectClass: organization

#Subtree for users
dn: ou=Users,dc=example,dc=com
ou: Users
description: Example.com Users
objectClass: organizationalUnit

#Subtree of Groups
dn: ou=Groups,dc=example,dc=com
ou: Groups
description: Example.com Groups
objectClass: organizationalUnit

#Subtree of System account
dn: ou=System,dc=example,dc=com
ou: System
description: Special accounts used by software applications.
objectClass: organizationalUnit

#
#USERS
#

#Matt Butcher
dn: uid=matt,ou=Users,dc=example,dc=com
ou: Users
#Name info:
uid: matt
cn: Matt Butcher
sn: Butcher
givenName: Matt
givenName: Matthew
displayName: Matt Butcher
#Work info:
title: System Integrator
description: System Integration and IT for Example.com
employeeType: Employee
departmentNumber: 001
employeeNumber: 001-08-98
mail: mbutcher@example.com
mail: matt@example.com
roomNumber: 301
telephoneNumber: +1 555 555 4321
mobile: +1 555 555 6789
st: Illinois
l: Chicago
street: 1234 Cicero Ave.
#Home info:
homePhone: +1 555 555 9876
homePostalAddress: 1234 home street $ Chicago,IL $ 60699-1234
#Misc:
userPassword: secret
preferredLanguage: en-us:en-gb
#Object Classes:
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

#Barbara Jensen:
dn: uid=barbara,ou=Users,dc=example,dc=com
ou: Users
uid: barbara
sn: Jensen
cn: Barbara Jensen
givenName: Barbara
displayName: Barbara Jensen
mail: barbara@example.com
userPassword: 12345
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

#LDAP Admin Group:
dn: cn=Ldap Admins,ou=Groups,dc=example,dc=com
cn: Ldap Admins
ou: Groups
description: Users who are LDAP Administrators
uniqueMember: uid=barbara,dc=example,dc=com
uniqueMember: uid=matt,dc=example,dc=com
objectClass: groupOfUniqueNames

#Special Account for Authentication:
dn: uid=authenticate,ou=System,dc=example,dc=com
uid: authenticate
ou: System
description: Special account for authenticating users
userPassword: secret
objectClass: account
objectClass: simpleSecurityObject