[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as a SASL backend

To: openldap-software@openldap.org
Subject: Re: OpenLDAP as a SASL backend
From: "Zohar Lev Shani" <levshani5252@gmail.com>
Date: Tue, 23 Oct 2007 12:04:40 +0200
Content-disposition: inline
In-reply-to: <470E5A70.2050405@olp.net>
References: <d25e0d550710110313l47a0cccch28a944a7bed8a70@mail.gmail.com> <470E5A70.2050405@olp.net>

OK, got that.

Now I am trying a different SASL configuration, and I have these
mechanisms available:

> ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base -LLL
dn:
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

With the same data, I tried running ldapsearch with SASL and got that
there are no SASL mechanisms available.

> ldapsearch -h localhost:9999 -Y PLAIN -U user1 -w pass1 -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy mechs found

Same goes for '-Y LOGIN'.

What am I missing here?

Thanks in advance
Zohar


On 10/11/07, Dan White <dwhite@olp.net> wrote:
> Zohar,
>
> See:
>
> http://www.openldap.org/doc/admin23/sasl.html
>
> Specifically section 11.2.3 for a discussion of DIGEST-MD5.
>
> If using DIGEST-MD5, your password will be treated as a shared
> secret and will not be transmitted over the wire. Also, if
> configured correctly (data security layer), the remaining portion
> of your connection will be encrypted.
>
> - Dan White
>
> Zohar Lev Shani wrote:
> > Hello list
> >
> > I am trying to use OpenLDAP also as a repository of the user and
> > password to the SASL mechanism.
> > The problem I am facing is that it only works if the userPassword is
> > kept in clear text and not in a hashed form. I would like to use the
> > hashed form because my application has a proprietary backend where the
> > data goes over the wire and for that I need userPassword attribute to
> > be not in clear text.
> >
> > Below is what I tried to do, based on OpenLDAP 2.3.24 running on RH4
> > U3 (Nahant).
> >
> > Any help will be appreciated.
> >
> > Zohar
> >
> >
> >> ./configure --prefix=`pwd`
> >
> > I added to the default slapd.conf with this entry
> > authz-regexp "uid=([^,]*)"  "cn=$1,cn=users,dc=my-domain,dc=com"
> >
> > The run command
> >> ./slapd -f slapd.conf -d -1 -h ldap://localhost:9999 1>& slapd.log 2>&1 &
> >
> > Available SASL mechanism
> >> ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base -LLL
> > dn:
> > supportedSASLMechanisms: DIGEST-MD5
> > supportedSASLMechanisms: CRAM-MD5
> > supportedSASLMechanisms: GSSAPI
> > supportedSASLMechanisms: NTLM
> >
> > Data I am going to add
> >> cat ./new_user.ldif
> > dn: dc=my-domain,dc=com
> > objectclass: dcObject
> > objectclass: organization
> > o: my-org
> > dc: my-domain
> >
> > dn: cn=Manager,dc=my-domain,dc=com
> > objectclass: organizationalRole
> > cn: Manager
> >
> > dn: cn=users,dc=my-domain,dc=com
> > objectclass: organizationalRole
> > cn: users
> >
> > dn: cn=user1,cn=users,dc=my-domain,dc=com
> > objectclass: organizationalRole
> > objectclass: simpleSecurityObject
> > cn: user1
> > userPassword: {MD5}pyLGPbjshiWvbPccuMLZOQ==
> > #password: pass1
> >
> > dn: cn=user3,cn=users,dc=my-domain,dc=com
> > objectclass: organizationalRole
> > objectclass: simpleSecurityObject
> > cn: user3
> > userPassword: {CLEARTEXT}pass3
> >
> >> ldapadd -h localhost:9999 -x -w secret -D cn=Manager,dc=my-domain,dc=com -f ./new_user.ldif
> >
> >> ldapsearch -h localhost:9999 -x -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
> > dn: cn=user1,cn=users,dc=my-domain,dc=com
> > objectClass: organizationalRole
> > objectClass: simpleSecurityObject
> > cn: user1
> > userPassword:: e01ENX1weUxHUGJqc2hpV3ZiUGNjdU1MWk9RPT0=
> >
> >> ldapsearch -h localhost:9999 -Y DIGEST-MD5 -U user1 -w pass1 -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
> > SASL/DIGEST-MD5 authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >         additional info: SASL(-13): user not found: no secret in database
> >
> >> ldapsearch -h localhost:9999 -Y DIGEST-MD5 -U user3 -w pass3 -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
> > SASL/DIGEST-MD5 authentication started
> > SASL username: user3
> > SASL SSF: 128
> > SASL installing layers
> > dn: cn=user1,cn=users,dc=my-domain,dc=com
> > objectClass: organizationalRole
> > objectClass: simpleSecurityObject
> > cn: user1
> > userPassword:: e01ENX1weUxHUGJqc2hpV3ZiUGNjdU1MWk9RPT0=
>
>

Follow-Ups:
- Re: OpenLDAP as a SASL backend
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- OpenLDAP as a SASL backend
  - From: "Zohar Lev Shani" <levshani5252@gmail.com>
- Re: OpenLDAP as a SASL backend
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: slapcat error
Next by Date: Using paged results, between 2.2.26 and 2.3.38.
Index(es):
- Chronological
- Thread