[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as a SASL backend



I had set up a secured TLS with all the certificates and keys needed. But still, I cannot login using SASL and PLAIN/LOGIN mechanisms over TLS. The user in the example has the userPassword hashed in MD5. See errors below:

>ldapsearch -h localhost:9999 -Y PLAIN -w pass1 -U user1 -b dc=my-domain,dc=com -s base -ZZ
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: Password verification failed

>ldapsearch -h localhost:9999 -Y LOGIN -w pass1 -U user1 -b dc=my-domain,dc=com -s base -ZZ
SASL/LOGIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: checkpass failed

Using cleartext password solves the problem but this is not what I am trying to do.
Just a reminder of what I am trying to achieve: In the database I want the userPassword field to be hashed and the bind authentication will be against it using the authz-regexp directive in slapd.conf. Using DIGEST-MD5 SASL doesn't help here because the userPassword needs to be in cleartext in the database.

Yet again, any help will be appreciated.
Zohar



On 10/23/07, Dieter Kluenter <dieter@dkluenter.de> wrote:
"Zohar Lev Shani" <levshani5252@gmail.com> writes:

> OK, got that.
>
> Now I am trying a different SASL configuration, and I have these
> mechanisms available:
>
>> ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base -LLL
> dn:
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: PLAIN
>
> With the same data, I tried running ldapsearch with SASL and got that
> there are no SASL mechanisms available.
>
>> ldapsearch -h localhost:9999 -Y PLAIN -U user1 -w pass1 -LLL -b cn=user1,cn=users,dc=my-domain,dc=com
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>         additional info: SASL(-4): no mechanism available: No worthy mechs found
>
> Same goes for '-Y LOGIN'.
>
> What am I missing here?

OpenLDAP only supports PLAIN and LOGIN if data transport is secured
that is either by TLS or local pipe. Install sasl libdigestmd5 and
libcrammd5 to provide shared secret security.

-Dieter

--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6