Emmanuel Dreyfus wrote:
Hi
I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of the documentation is really horrible. Until someone eventually fix that, here is for future reference what I had to do (the NetBSD system parts are out of topic, but I added them for the sake of completeness)
I wouldn't expect to find much documentation on this topic because in general it's the wrong thing to do. What distributed authentication system do you use that is supported by pam but is not supported directly by LDAP or SASL?
- Configure OpenLDAP (the nasty part)
4.1 Enable PLAIN mechanism (disabled by default) in /usr/pkg/etc/openldap/slapd.conf, by adding: sasl-secprops none
You don't need sasl-regex or authz-regex.
4.6 Check that slapd will accept PLAIN SASL authentication: ldapsearch -x -b "" -s base supportedSASLMechanisms You should get: supportedSASLMechanisms: PLAIN
4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf: BASE dc=example,dc=net TLS_CACERT /etc/openssl/certs/ca.crt SASL_MECH PLAIN SASL_SECPROPS none
These steps are only needed if you're going to use plaintext passwords in SASL Binds, and yet you only show the use of Simple Binds here.
4.8 Check that the whole thing works: ldapsearch -x -WZD cn=jdoe,dc=example,dc=net Don't forget to make sure a wrong password fails...
NB1: saslauthd logs in /var/log/authlog, the error messages are useful
NB2: slapd logs in /var/log/slapd.conf, the error messages are usually meaningless, especially for ACL and SASL troubles.
The log messages are meaningful, you just don't understand them. Your ignorance does not indicate a fault in the software.
NB3: Make sure your DN is right. I spent a lot of time running tests with an invalid DN (ie: dc=jdoe instead of cn=jdoe)
That's a pretty basic principle - if you want to login to some system, you must use the correct username and password for that system...