[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting LDAP and SASL (digest-md5) to play nice

Howard Chu wrote:
Hallvard B Furuseth wrote:
Rick Stevens writes:
I'm sure I'm not the only person having this issue, but I absolutely
cannot seem to get SASL and LDAP to work.  I want SASL to authenticate
using the passwords in LDAP, but in the classic chicken-and-egg
scenario, you can't talk to LDAP without having SASL working first.

Hmm, this could use a mention in the Admin Guide.


I haven't tried it myself, but: In addition to setting up slapd to
use SASL, you must set up SASL to use LDAP.  In Cyrus SASL, that is
described in doc/install.html: Build with LDAP support (the circular
dependency shows up here too), then use the LDAPDB auxprop plugin.

The ldapdb plugin is only needed by other SASL-enabled services that are meant to use LDAP for authentication. It does not deserve mention in the OpenLDAP Admin Guide because it is strictly a SASL administrator's concern. That's also why we moved the ldapdb code from the OpenLDAP source tree into the Cyrus SASL source tree, and why the ldapdb plugin is only documented in the Cyrus SASL documentation. Don't muddy the picture by dragging in irrelevant elements.

For SASL authentication within OpenLDAP software, all of the necessary components are already intrinsic to libldap and slapd.

That's where I'm getting hosed, guys. I know that SUPPOSEDLY it's all
there (this is an F8 install). I have all the passwords set up as
cleartext in the userPassword attribute. If I try to authenticate as
"root" WITHOUT an entry in sasldb for root, the ldapwhoami NEVER authenticates:

[root@prophead ~]# ldapwhoami -w unix__gort
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database

So, that's pretty obvious that it's NOT looking in LDAP for the
password, isn't it?  Now, WITH a password in the sasldb:

[root@prophead ~]# ldapwhoami -w unix__gort
SASL/DIGEST-MD5 authentication started
SASL username: root
SASL installing layers
Result: Success (0)

So, SASL is happy with an entry in the sasldb, but obviously that DN
isn't in the LDAP database.  So, I added an authz-regexp:


Now, ldapwhoami gives me:

[root@prophead ~]# ldapwhoami -w unix__gort
SASL/DIGEST-MD5 authentication started
SASL username: root
SASL installing layers
Result: Success (0)

Isn't that grand!  That's what I want (I think), but it requires
me to put an entry in the sasldb and I don't think that's necessary
from what I gather from the docs.  However, without it, I can't
authenticate at all, and therefore can't even get to LDAP.

That being said, even that doesn't appear to be enough as I have an
access rule:

	access to attrs=userPassword
	        by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write
	        by dn="cn=manager,dc=gbsbilling,dc=com" write
	        by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
	        by anonymous auth
	        by self write
	        by * none

and an ldapsearch as the root user (even using the root DN) will NOT
display the userPassword fields.  It only will display if I include a

		by dn="uid=root,cn=digest-md5,cn=auth" write

as the first rule.  So, the rewrite isn't being used in the "access to"
stuff at all.

I'm sure I'm spectacularly dense on this but in the immortal words of my
boss, "what the fark is going on here?"
- Rick Stevens, Unix Geek                          rps2@socal.rr.com -
-                                                                    -
-  Jimmie crack corn and I don't care...what kind of lousy attitude  -
-                 is THAT to have, huh?   -- Dennis Miller           -