[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl/plain with hashed password not working

To: btb <btb@bitrate.net>
Subject: Re: sasl/plain with hashed password not working
From: Dan White <dwhite@olp.net>
Date: Wed, 2 Oct 2013 08:44:06 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <524C1AC4.4060109@bitrate.net>
References: <524C1AC4.4060109@bitrate.net>
User-agent: Mutt/1.5.21 (2010-09-15)

On 10/02/13 09:08 -0400, btb wrote:

i've enabled the plain sasl mech, and testing with ldapwhoami works,but only if the userpassword is left as plaintext. if hashing [ssha]is used, it fails. a simple bind succeeds. what am i doing wrong?
ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx'
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: Password verification failed

524b7989 ==>slap_sasl2dn: converting SASL nameuid=flash,cn=plain,cn=auth to a DN524b7989 ==> rewrite_context_apply [depth=1]string='uid=flash,cn=plain,cn=auth'524b7989 ==> rewrite_rule_applyrule='uid=([^,]*),cn=digest-md5,cn=auth'string='uid=flash,cn=plain,cn=auth' [1 pass(es)]524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'string='uid=flash,cn=plain,cn=auth' [1 pass(es)]524b7989 ==> rewrite_context_apply [depth=1]res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->"uid=flash,ou=people,ou=accounts,dc=example,dc=com"524b7989 slap_parseURI: parsinguid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize:<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize:<uid=flash,ou=people,ou=accounts,dc=example,dc=com>524b7989 <==slap_sasl2dn: Converted SASL name touid=flash,ou=people,ou=accounts,dc=example,dc=com


libsasl2, with default configuration, requires that the password be stored
in cleartext, even for PLAIN.

To support {ssha} in this scenario, I recommend you configure your SASL
slapd.conf file to authenticate against saslauthd, which in turn should be
configured to perform ldap simple (non-sasl) authentication against slapd.
Think of it as a two-level deep recursive authentication.

Create a slapd.conf SASL file (e.g. /usr/lib/sasl2/slapd.conf) with these
contents:

  pwcheck_method: saslauthd
  # Disallow shared secret mechanisms
  mech_list: PLAIN LOGIN GSSAPI EXTERNAL

Run saslauthd with the ldap backend. Run in debug mode to trouble shoot.
If slapd is running non-root, modify the permissions to the saslauthd mux
(e.g. /var/run/saslauthd/mux) to allow slapd to access it.

See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php
The saslauthd manpage
saslauthd/LDAP_SASLAUTHD (in the cyrus sasl source)

--
Dan White

Follow-Ups:
- Re: sasl/plain with hashed password not working
  - From: btb@bitrate.net

References:
- sasl/plain with hashed password not working
  - From: btb <btb@bitrate.net>

Prev by Date: sasl/plain with hashed password not working
Next by Date: Re: Migrating to new production servers via syncrepl
Index(es):
- Chronological
- Thread