[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with SASL, TLS, etc.



At 10:23 AM 2001-08-27, Nels Lindquist wrote:
>My head hurts.
>
>I've compiled OpenLDAP-2.0.11 on a RedHat Linux box.  I already have 
>Cyrus SASL working with Cyrus IMAP and Sendmail AUTH.  I compiled 
>OpenLDAP with the following configuration:
>
>> ./configure  --enable-crypt --enable-spasswd --enable-wrappers
>> --enable-ldbm --with-tls --with-ldbm-type=btree
>
>I was able to populate the LDAP server using simple authentication 
>with the root DN and plaintext password I defined in slapd.conf, but 
>I'm very confused about how to move past this point.
>
>The documentation makes brief reference to replacing the plaintext 
>"secret" in the slapd.conf file with a secure mechanism such as SASL, 
>but how does one go about doing this?  I tried following the 
>instructions I found in an archived message which instructed 
>replacing the "rootpw   [secret]" line with "rootpw   {SASL}root", 

That's to use the Cyrus SASL secret store (sasldb) for simple
authentication.  If you want to use SASL authentication, then
you first need to get SASL working (start with Cyrus SASL
sample client/server).  More details can be found in the archives
(sorry, but that's the best docs we have right now) or various
HOWTOs.  Note when using SASL authentication for the rootdn,
one doesn't need to set rootpw.

>but it didn't seem to help.  I'd really like to implement ACLs for 
>updating the LDAP server, etc. but I haven't been able to get any 
>authentication past "rootpw    [plain secret]" to work at all.
>
>Where exactly is the SASL layer supposed to sit in the whole LDAP 
>scheme?  Is it used for binding?

Yes.  It provides a framework for authentication.

> Or for an additionaly 
>authentication layer prior to binding?  How does the ldappasswd 
>utility work?

ldappassword uses a LDAP extended operation to change a password.
In 2.0, it can only change simple authentication passwords (for
hashed userPassword schemes only).

>I can't seem to generate any passwords at all, for any 
>users.  Whenever I try, I receive the following error: 
>
>> Result: DSA is unwilling to perform (53)
>> Additional info: operation not supported for current user
>
>Where are the passwords it generates (when it does) stored?

userPassword.  userPassword is used only for simple authentication.

>In 
>/etc/sasldb?  In the LDAP database itself?  If the latter, why have 
>SASL at all?
>
>How do I convince the server (and LDAP related utilities) to use SASL 
>LOGIN or PLAIN methods?  I'd expect this to be necessary for (the 
>majority of) clients which don't support SASL directly and are hence 
>unable to use CRAM-MD5 or DIGEST-MD5.

If a client doesn't support SASL, then it doesn't support SASL/PLAIN
or SASL/LOGIN.

Perhaps I haven't configured the SASL plaintext logins properly for 
>slapd.

Have you gotten the Cyrus SASL sample client/server to work?

>What is the name of the slapd binary internally as far as 
>SASL is concerned?  (Ie, what's the name of the [name].conf file 
>which needs to be created in /usr/lib/sasl?

slapd... but SASL options can be configured via slapd.conf(5).

>And the /etc/pam.d/[servicename] file, for that matter?)

Haven't a clue, I don't use PAM.

>Is there *anywhere* where any of this is documented?

Archives, howtos, and faq.  Submissions to the admin guide are
welcomed.