[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP authenticaton against PAM how-to

Emmanuel Dreyfus wrote:

I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of
the documentation is really horrible. Until someone eventually fix that,
here is for future reference what I had to do (the NetBSD system parts
are out of topic, but I added them for the sake of completeness)

I wouldn't expect to find much documentation on this topic because in general it's the wrong thing to do. What distributed authentication system do you use that is supported by pam but is not supported directly by LDAP or SASL?

4) Configure OpenLDAP (the nasty part)
4.1 Enable PLAIN mechanism (disabled by default) in
/usr/pkg/etc/openldap/slapd.conf, by adding:
sasl-secprops none

You don't need sasl-regex or authz-regex.

4.6 Check that slapd will accept PLAIN SASL authentication:
ldapsearch -x -b "" -s base supportedSASLMechanisms
You should get:
supportedSASLMechanisms: PLAIN

4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf:
BASE    dc=example,dc=net
TLS_CACERT      /etc/openssl/certs/ca.crt

These steps are only needed if you're going to use plaintext passwords in SASL Binds, and yet you only show the use of Simple Binds here.

4.8 Check that the whole thing works:
ldapsearch -x -WZD cn=jdoe,dc=example,dc=net Don't forget to make sure a wrong password fails...

NB1: saslauthd logs in /var/log/authlog, the error messages are useful

NB2: slapd logs in /var/log/slapd.conf, the error messages are usually
meaningless, especially for ACL and SASL troubles.

The log messages are meaningful, you just don't understand them. Your ignorance does not indicate a fault in the software.

NB3: Make sure your DN is right. I spent a lot of time running tests
with an invalid DN (ie: dc=jdoe instead of cn=jdoe)

That's a pretty basic principle - if you want to login to some system, you must use the correct username and password for that system...

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/