[Date Prev][Date Next]
Re: SASL, DIGEST-MD5 and ROOTDN
Bernard McAuley wrote:
I have set up a simple OPENLDAP server and I want to begin as I mean to
go on and keep the setup secure. To this end I want the rootdn to be
set to bind via SASL. According to the administrators guide this can be
achieved by setting the DN to be of the form:
I've done this but when I attempt an ldapsearch I get the following:-
ldapsearch -U user supportedSASLMechanisms
SASL/DIGEST-MD5 authentication started
Please enter your password: <password>
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
additional info: SASL(-13): user not found: no secret in
But when I test the sasl account using testsaslauthd I get the
/usr/sbin/testsaslauthd -u user -p secret -s slapd
0: OK "Success."
Looking into the logs it appears that ldap never really gets around to
authenticating properly with SASL, but instead appears to be trying to
local an entry in the LDAP database to authenticate against (the
database is of course empty at this point!).
Snippets of the logs and my slapd.conf file are below. Any suggestions
would be appreciated.
1) saslauthd is not used by default. You need to read the SASL
documentation, and put the appropriate config directives into
/usr/lib/sasl2/slapd.conf if you actually want to use it.
2) saslauthd only supports cleartext authentication, not secure
mechanisms like DIGEST-MD5. For achieving security, saslauthd is pretty
much worthless and should not be used.
3) Since OpenLDAP 2.3.6 you can perform secure SASL binds using a
plaintext rootpw in slapd.conf; this capability is not present in
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/