[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/LDAP authentication questions?

At 04:41 PM 1/16/01 -0600, Thomas_W_Collins@Dell.com wrote:
>I have a couple of questions regarding SASL, OpenLDAP, and passwords.

I suggest you review the archives on how to setup OpenLDAP
to use SASL.  Below are a few misc. comments:

>database        ldbm
>suffix          "o=NASH,dc=dell,dc=com"
>rootdn          "cn=root,o=DAO,dc=dell,dc=com"
>rootpw          {crypt}tcPo8hUG.cU7c

Thanks... give me a few hours and I'll have your password.

Please treat hashed passwords as if they were the actual
password.  Hashed passwords are subject to a number of
attacks.  With traditional {crypt} passwords, I run through
the entire key space within a few hours on modern hardware.
With {SSHA}, though a entire key space search is not feasible,
I can run dictionary attacks which often discover the password.

>directory       /usr/local/openldap-1.2.11/var/NASH
>index           uid pres,eq,sub
>index           cn,sn pres,eq,sub

Note that most servers should "index objectClass eq".

>and I also specify two sasl user accounts as:
>saslpasswd -c root
>saslpasswd -c BSmith
>I add the following entries from an ldif file:
>dn: o=NASH,dc=dell,dc=com
>objectclass: dcObject
>objectclass: organization
>o: NASH
>dc: dell
>dn: uid=BSmith,o=NASH,dc=dell,dc=com
>objectclass: top
>objectclass: mcpactor
>uid: BSeidel
>cn: "Barry Smith"
>sn: Barry Smith
>userPassword: BSmith

Note that there is no relationship between these entries
and the SASL users you have created.

>I then execute the follwing:
>ldapsearch -L -D uid=BSmith,o=NASH,dc=dell,dc=com -b "o=NASH,dc=dell,dc=com"
>-s sub \
>                '(objectclass=*)' -W

Specify arguments in correct order.  If you intend to do SASL
authentication, don't specify -D or -W.  If you intend to do
LDAP simple authentication, specify -x.

>When ldap prompts for the password, if I put in "BSmith", I get the
>SASL/DIGEST-MD5 authentication started 
>ldap_sasl_interactive_bind_s; Invalid credentials
>        additional info: Client 'response' doesn't match what we generated.
>If I execute the same command, but instead of supplying "BSmith" when
>prompted for the
>password I supply "root", everything works fine. 

That's because you likely ran than command as root so that was
SASL authentication identity used.  If you want to specify an
alternative identity, specify that with a -U flag.

>That is, I get the above
>back from the ldapsearch.  Do I need to add some ACLs to the slapd.conf file
>allow access to users other than the rootdn?  My guess is that I do.

See archives for discussion related to SASL authorization identities
and ACL subject DNs.