[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL Authentication & OpenLDAP 2.0.18



Hi All,

While testing SASL authentication for OpenLDAP (2.0.18) I have
the following problem: when using 'ldapsearch' whith SASL auth
(i.e.: 'ldapsearch -LLL -U myuid -b "dc=mydc"') the user is
properly authenticated.

If instead I force ldapsearach to "Simple Auth" (whith the -x
flag, i.e.:

  ldapsearch -LLL -D "cn=My Name,ou=Friends,o=myorg,dc=mydc"
             -b "dc=Pittypanda" -W -x

for example), then it wont go through SASL and find the pass
in sasldb for the user - fairly normal for me. But the thing
is that (at least on my install) if I give as password:

  {SASL}myuid

then it authenticates, meaning: OpenLDAP says it's the correct
password! ({SALS}myuid is the value given for userpassword to
OpenLDAP - myuid being in the sasldb: to me it meant that it
had to authenticate through SASL..).

Am I totally misconfiguring/missing something, or else something
is really wrong?


Actually I have tried to reproduce the same with version 2.0.7
on a RedHat 7.1 and couldnt.  Instead whith the 2.0.18 I had
this behaviour on RedHat 6.2 and 7.1.

Here under is the slapd configuration used (exactly the same
for the tests on the 2.0.7 and the 2.0.18):

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/openldap/etc/openldap/schema/core.schema
include		/usr/local/openldap/etc/openldap/schema/cosine.schema
include		/usr/local/openldap/etc/openldap/schema/inetorgperson.schema

# Define global ACLs to disable default read access.
defaultaccess  none

access to dn="^$" by * read
access to * by dn="uid=admin + realm=ldapserver" read by * auth

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/usr/local/openldap/var/slapd.pid
argsfile	/usr/local/openldap/var/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/local/openldap/libexec/openldap
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

#######################################################################
# ldbm database definitions
#######################################################################

database	ldbm
suffix		"dc=mydc"
rootdn		"uid=admin + realm=ldapserver"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory	/usr/local/openldap/var/openldap-ldbm
# Indices to maintain
index	objectClass	eq
#
# -- General ACL.
#
access to attr="userpassword"
       by self write
       by *    compare

access to dn="cn=[^,]+,ou=[^,]+,o=([^,]+),dc=mydc"
       by dn="cn=[^,]+,ou=[^,]+,o=$1,dc=mydc"      read
       by dn="o=$1,dc=mydc"                        write
       by *                                        auth

access to dn="ou=[^,]+,o=([^,]+),dc=mydc"
       by dn="cn=[^,]+,ou=[^,]+,o=$1,dc=mydc"      read
       by dn="o=$1,dc=mydc"                        write
       by *                                        auth


and when adding a user password it was following this format:

  ...
  uid: myuid
  userpassword: {SASL}myuid
  ...

Thanks in advance for the help!
Regards,
Stéphane


PS.: with the ACLs given in this conf any user (except 'admin')
wont be able to do anything but authenticate himself if he is
given an "SASL type of account".. but he shouldnt be able to
read anything as well, if simply forcing his client to bind
using simple auth (??) and giving {SASL}myuid as password?