[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with SASL & openLDAP



Hi Kent + List,

Cheers mate, worked a treat, I had added a similar sasl-regexp entry from reading section 10.2.4 & 10.2.5 of the admin guide. I wasn't using LDAP URL mapping style!!! and my uid=$1 was a bit wrong from following the admin guide my mistakes

ldappasswd works as well, always forget that I'm logged in as root on my machines so need to add the -U "user" option to my commands also.

Well onto posixAccount stuff now for home directories. Those perl scripts that other people have mentioned from http://www.padl.com are great helping me get my openLDAP and ldif files together.

Hopefully I can contribute to the list soon!!!

Greg


Kent Soper wrote:



SASL Digest-MD5 can be implemented without employing saslauthd.  But you
will need a mapping in your slapd.conf.

First, run a "ldapwhoami -Y digest-md5" to see the form of the SASL auth
DN.  No, 'digest-md5' does not need to be in caps.

Second, read section 10.2.4 and 10.2.5 of the Admin Guide to understand
mapping.  You'll want to use the LDAP URL mapping style because your LDAP
DN is not of the form
uid=bob,ou=MemberGroupA,dc=example,dc=com

might work:
//with a realm ...
sasl-regexp
     uid=(.*),cn=.*,cn=digest-md5,cn=auth
     ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)

//without a realm ...
sasl-regexp
     uid=(.*),cn=digest-md5,cn=auth
     ldap:///ou=MemberGroupA,dc=example,dc=com??sub?(uid=$1)

All I had to do for DIGEST-MD5 was add plaintext passwords like you have
done and add correct mapping entries to slapd.conf.  No SASL DB usage or
commands.  You're closer than you think to success.  Your slapd ACLs are
different from mine but you can fine tune that later.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
      you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




Greg Wilson <greg.wilson@tss-ltd.co.u To: OpenLDAP Software List <openldap-software@OpenLDAP.org> k> cc: Sent by: Subject: Problems with SASL & openLDAP owner-openldap-software@O penLDAP.org 08/19/2003 05:01 AM





Another newbie problem

I have openLDAP 2.1.22 installed on a RH9 machine with cyrus-sasl-2.1.10-4.

I have added users to the openLDAP database using cleartext passwords as
follows

dn: cn=First User,ou=MemberGroupA,dc=example,dc=com
ou: MemberGroupA
cn: First User
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: firstuser
userPassword: cleartext
etc.

I have made an entry in sldap.conf following the guides

password-hash {CLEARTEXT}

# database access control definitions
access to attr=userPassword
         by self write
         by anonymous auth
         by dn.base="cn=Manager,dc=exmaple,dc=com" write
         by * none

If I use the standard /etc/init.d/saslauthd start a "ps -ef | grep sasl"
gives

root     22723     1  0 Aug18 ?        00:00:00 /usr/sbin/saslauthd -m
/var/run/saslauthd/mux -a shadow

When I try to change the ldappasswd I get the following

[root@test root]# ldappasswd firstuser
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
       additional info: SASL(-13): user not found: no secret in database

I have not yet gone onto Mapping Authentication identities to LDAP
entries section of the openLDAP sasl guide.  However I am unclear wether
the starting of saslauthd using the "-a shadow" shown above is correct.

The sasl2 libraries are all there as expected in /usr/lib/sasl2, trying
to use saslpasswd2 also gives errors!!!

Am I treading the correct path! or have I made a dumbo error already.  I
am leading towards a sasl/ldap config issue given the "secret in
database" error given above when the ldappasswd command is entered.

Cheers

Greg

--
Support Engineer



-- Support Engineer

Tel: +44 Fax: +44

Disclaimer

Please note: This email is confidential and may also be privileged.

Please notify us immediately, if you are not the intended recipient.

You should not copy it, forward it or use it for any purpose or disclose
its contents to any person.

In sending this email, the sender is not acting as an agent,
representative or in any other capacity for or on behalf of TSS.

We cannot accept liability for any loss or damage caused by software
viruses.