openldap + DIGEST-MD5 + PAM

[bulk@alfredsson.org]

Hello,

After avoiding SASL for half a year and using -x instead, I gave it a
shot. What I want;

- use ldapsearch/other tools on one machine, and avoid sending the
  password in plaintext to the server
- the password should be stored in one place, ie the ldap directory

I have a working setup with openldap, nss_ldap and pam_ldap.

So, these steps were done to add SASL capabilities

- in order to get DIGEST-MD5, i created /etc/sasldb by saslpasswd dummyuser
- I do not want to set a password manually in sasldb, so I created
  /usr/lib/sasl/slapd.conf containing pwcheck_method: pam

If I issue ldapsearch -x -L -s "base" -b "" supportedSASLMechanisms
I get the expected mechanisms as supported;

dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5


However, since I specified it to use PAM, it needs a service defn in
/etc/pam.d/slapd (?). So I simply used the servicedefition used by sudo, since
it was quite generic, and works with my pam setup.

Anyway, it does not work :) -- if I strace slapd, I can see that it (or
rather sasl) is opening /var/lib/sasl/slapd.conf and reading the config.
Then I would expect PAM stuff to be opened/read, but it is not
happening. However if I add my user to sasldb, it works fine.

Does someone have any idea of what could be wrong?
Or, tips on howto debug sasl to see what it does. No PAM errors are
shown in the logs, btw.

The passwords are stored hashed (crypt) in the directory, does the
DIGEST-MD5 mech work with this, or does the server need the password
as plaintext (i.e. could explain why sasldb works) .. but I do not want
to store it in plaintext.

regards,
 Stefan