[Date Prev][Date Next]
Re: openldap+sasl confusion
Hi Michael, thank you so much for your respond.
1. Yes, i am talking about SASL bind with password-based mechs. What do you mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes? Can you give an example? It should be in slapd.conf, i assume.
2. Again, what do you mean by the directory? What is the best practice if i want to implement SASL bind with my openldap? Can you advise please.
3. Can you give an example of slapd.conf with configuration for a digest-MD5 SASL authenticaion method? I am pretty lost now. All that you mention i have read before but i just don't know how to piece them all together.
4. I didn't put hash-ed password in slapd.conf. But, the clear text password will be the actual password for the ldap admin? For, eg, if i set rootpw to admin, the password i provide when ldap prompts for password, should be "admin"?
5. What do you mean by grant access to users? Can you please explain more?
I am really lost, hopefully you can assist and guide me, thanks in advance, Michael.
2009/6/27 Michael Ströder <email@example.com>
Seau Yeen Su wrote:I assume you're talking about SASL bind with password-based mechs.
> 1. After using saslpasswd2 to create the username and password in sasl
> database, do i need to add the entry into ldap database with slappasswd
> command? When i used slapadd command and it prompts for password, does
> it authenticate against sasl database or ldap database?
It depends whether you want in-directory passwords (mainly userPassword
with clear-text password as attribute value) or not.
Only if you don't store the passwords in the directory.
> 2. Do i need to issue saslpasswd2 for each and every user that i want to
> add into ldap database and to be authenticated via ldap?
As values for attribute userPassword rootpw can be hashed or clear-text.
> 3. In the slapd.conf file, under rootpw, am i supposed to use the word
> "secret" or the cleartext password that i keyed in using saslpasswd2 or
> some encrypted password?
If you also want to bind as rootdn with SASL bind with mech CRAM-MD5 or
DIGEST-MD5 then it has to be clear-text. Otherwise it can be hashed
(e.g. generated/hashed with command-line tool slappasswd).
authz-regexp is the recent keyword in slapd.conf for this.
> 4. What is the difference between sasl-regexp and authz-regexp?
SASL bind with digest password mech only knows a plain user-ID. So you
> 5. Let's say i issued saslpasswd2 -c admin to create admin as the LDAP
> administrator. Does this mean in the slapd.conf, the rootdn should be
> admin or can it be another name, that will be mapped via
> sasl-regexp/authz-regexp? (Which does it use anyway between these 2 :
> sasl-regexp & authz-regexp?)
need an appropriate authz-regexp in slapd.conf to map it to a DN of an
If you used a hashed password in rootpw and you did nothing else then I
> > 6. Previously I set up without sasl and it was rather straightforward,
> merely using slappasswd and save the encyrpted pasword into slapd.conf.
doubt you could use that with SASL/DIGEST-MD5 bind.
Don't forget to double check the access control rule for userPassword.
Should contain a clause to grant auth access to anyone.
access to attrs=userPassword
by group="cn=Password Admins,ou=Groups,ou=schulung" =wx
by self =wx
by * =x