[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL, DIGEST-MD5 and ROOTDN



Bernard McAuley wrote:
Hi,

I have set up a simple OPENLDAP server and I want to begin as I mean to
go on and keep the setup secure.  To this end I want the rootdn to be
set to bind via SASL.  According to the administrators guide this can be
achieved by setting the DN to be of the form:

uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth.

I've done this but when I attempt an ldapsearch I get the following:-

ldapsearch -U user supportedSASLMechanisms
SASL/DIGEST-MD5 authentication started
Please enter your password: <password>
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
        additional info: SASL(-13): user not found: no secret in
database

But when I test the sasl account using testsaslauthd I get the
following:-

/usr/sbin/testsaslauthd -u user -p secret -s slapd
0: OK "Success."

Looking into the logs it appears that ldap never really gets around to
authenticating properly with SASL, but instead appears to be trying to
local an entry in the LDAP database to authenticate against (the
database is of course empty at this point!).
Snippets of the logs and my slapd.conf file are below. Any suggestions
would be appreciated.

1) saslauthd is not used by default. You need to read the SASL documentation, and put the appropriate config directives into /usr/lib/sasl2/slapd.conf if you actually want to use it.


2) saslauthd only supports cleartext authentication, not secure mechanisms like DIGEST-MD5. For achieving security, saslauthd is pretty much worthless and should not be used.

3) Since OpenLDAP 2.3.6 you can perform secure SASL binds using a plaintext rootpw in slapd.conf; this capability is not present in earlier releases.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/