Emmanuel Dreyfus wrote:
I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of
the documentation is really horrible. Until someone eventually fix that,
here is for future reference what I had to do (the NetBSD system parts
are out of topic, but I added them for the sake of completeness)
I wouldn't expect to find much documentation on this topic because in general
it's the wrong thing to do. What distributed authentication system do you use
that is supported by pam but is not supported directly by LDAP or SASL?
4) Configure OpenLDAP (the nasty part)
4.1 Enable PLAIN mechanism (disabled by default) in
/usr/pkg/etc/openldap/slapd.conf, by adding:
You don't need sasl-regex or authz-regex.
4.6 Check that slapd will accept PLAIN SASL authentication:
ldapsearch -x -b "" -s base supportedSASLMechanisms
You should get:
4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf:
These steps are only needed if you're going to use plaintext passwords in
SASL Binds, and yet you only show the use of Simple Binds here.
4.8 Check that the whole thing works:
ldapsearch -x -WZD cn=jdoe,dc=example,dc=net
Don't forget to make sure a wrong password fails...
NB1: saslauthd logs in /var/log/authlog, the error messages are useful
NB2: slapd logs in /var/log/slapd.conf, the error messages are usually
meaningless, especially for ACL and SASL troubles.
The log messages are meaningful, you just don't understand them. Your
ignorance does not indicate a fault in the software.
NB3: Make sure your DN is right. I spent a lot of time running tests
with an invalid DN (ie: dc=jdoe instead of cn=jdoe)
That's a pretty basic principle - if you want to login to some system, you
must use the correct username and password for that system...
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/