[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Basic SASL setup instructions

At 03:48 PM 10/5/00 -0400, Robert Watt wrote:
>Basically I copied the entry of an existing user and modified their
>'userpassword' attribute to: {sasl}, then used saslpasswd to create
>/etc/sasldb with that users name, realm and password. (there was a mention
>of {sasl}xxxxxxxxxx  entries also for simple bind. I don't want simple
>bind, so need to know how to setup the full-sasl way).

The don't bother with userPassword...  setup up Cyrus SASL.
Make sure it works (using Cyrus provided sample client and server
and -s "ldap").  Then use same mechanism, authentication identities,
secrets with slapd.

>When I try to login as the user through ssh or a console login it fails.

ssh? console?  Not sure what that has to do with LDAP (they could
be using LDAP under the hoods, but that's another matter).

> When I try to use 
>ldapsearch, no matter how I enter their info with  ldapsearch -D "various
>dn's combining realm info" -W  it responds with:  
> ldap_bind: Invalid credentials. 

The -D value is ignored when using SASL bind.
Once you have the Cyrus sample client/server working, I suggest
using ldapsearch -I (interactive) and then providing the necessary
information (including password) as prompted.  Be sure to leave
the authorization identity empty.

>So, a few questions:
>- What setup steps do I need to get basic SASL functionality working so
>that services authenticate through ldap/sasl and ldap utilities bind
>through sasl rather than simple auth with cleartext passwords.

1) make sure Cyrus SASL is working (use sample client/server to test).
2) make sure slapd has access to authentication secrets
        a) can read SASLdb?  (such as for DIGEST-MD5)
        b) can access pwaccessd as needed (for PLAIN, not recommended)
        c) has necessary keys, certificates, whatever as needed (for GSSAPI)

>- What format do I need to use for the ldap utilities?

Don't use -x, -D, -W, -w....  use -I to enable full SASL prompting.
use -Y to limit mechanism choice.

>I assume -D is
>not supposed to be used with sasl.


>I've seen the -I -U and other switches,
>but nothing I've tried seems to work (basically the utilities tell me I'm
>not using the switches correctly).

ldapsearch -I -Y MECH -b "dc=example,dc=com"

is a good place to start (where MECH is your SASL mechanism of choice).

>- In addition to the setup on the server, what do I need on my clients to
>get them to use sasl?

For OpenLDAP clients, they will automatically detect supported
mechanisms and choose the best one... so, once you have your
server setup correctly, you can just type:

ldapsearch -b "dc=example,dc=com"

and the tool will prompt as needed.

>- Has anyone used openssl and/or kerberos instead of sasl? Which is

OpenSSL provides TLS.  It is recommended for confidential protect
over that provided by SASL.  Note that use of TLS in combination
with SASL/EXTERNAL, SASL/PLAIN, or simple bind offers a reasonable

Cyrus SASL supports GSSAPI, namely using Kerberos V.  Cyrus
SASL also supports a Kerberos IV mechanism.  I highly recommended

>- Nalin from Red Hat posted some RPM's of OpenLDAP 2.0.4. Does anyone
>know if these have sasl support compiled in? 

Wouldn't know myself...