Hi
I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of the documentation is really horrible. Until someone eventually fix that, here is for future reference what I had to do (the NetBSD system parts are out of topic, but I added them for the sake of completeness)
Configuration: NetBSD-3.1 OpenLDAP-2.3.27 from NetBSD's pkgsrc Cyrus-SASL-2.1.22 from NetBSD's pkgsrc
1) Install the software 1.1 Fix pkgsrc a bug In /usr/pkgsrc/databases/openlda-server/options.mk, change --with-spasswd into --enable-spasswd
1.2 Install the following packages: Set build options for pkgsrc: in /etc/mk.conf: PKG_RCD_SCRIPTS=YES PKG_OPTIONS.openldap-client+=sasl PKG_OPTIONS.openldap-server+=sasl PKG_OPTIONS.cyrus-saslauthd+=pam
1.3 Install the following packages: database/openldap security/cyrus-sasl security/saslauthd security/cy2-plain
1.4 Fix another pkgsrc bug: cd /usr/pkgsrc/database/openldap-server/ cd work/openldap-2.3.27/libraries/libldap_r make && make install
2) Configure PAM Create /etc/pam.ldap and populate it with your PAM configuration
3) Configure SASL 3.1 Enable saslauthd, by adding this to /etc/rc.conf: saslauthd=YES saslauthd_flags="-a pam
3.2 Then start it: /etc/rc.d/saslauthd start
3.3 Configure the SASL library for slapd, by creating /usr/pkg/lib/sasl2/slapd.conf, with the following content: pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
3.4 Check SASL functionnality testsaslauthd -s ldap -u login -p password Make sure a wrong password really fails...
4) Configure OpenLDAP (the nasty part) 4.1 Enable PLAIN mechanism (disabled by default) in /usr/pkg/etc/openldap/slapd.conf, by adding: sasl-secprops none
You don't need sasl-regex or authz-regex.
4.2 Enable TLS: Generate TLS certificate, and add certificate, key and CA to /usr/pkg/etc/openldap/slapd.conf: TLSCertificateFile /etc/openssl/certs/botin.crt TLSCertificateKeyFile /etc/openssl/private/botin.key TLSCACertificateFile /etc/openssl/certs/ca.crt
4.3 Populate the directory, make sure that user cn=jdoe,dc=example,dc=net has this: userPassword: {SASL}jdoe
4.4 Enable slapd, by adding to /etc/rc.conf: slapd=YES
4.5 Start slapd: /etc/rc.d/slapd start
4.6 Check that slapd will accept PLAIN SASL authentication: ldapsearch -x -b "" -s base supportedSASLMechanisms You should get: supportedSASLMechanisms: PLAIN
4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf: BASE dc=example,dc=net TLS_CACERT /etc/openssl/certs/ca.crt SASL_MECH PLAIN SASL_SECPROPS none
4.8 Check that the whole thing works: ldapsearch -x -WZD cn=jdoe,dc=example,dc=net Don't forget to make sure a wrong password fails...
NB1: saslauthd logs in /var/log/authlog, the error messages are useful
NB2: slapd logs in /var/log/slapd.conf, the error messages are usually meaningless, especially for ACL and SASL troubles.
NB3: Make sure your DN is right. I spent a lot of time running tests with an invalid DN (ie: dc=jdoe instead of cn=jdoe)