Dieter Kluenter wrote:
Jittinan Suwanrueangsri jittinan2@gmail.com writes:
Hi
I have seen configuration which sasl get password from sasldb .I must run saslpasswd2 to create user and password for authentication but Is it possible to configure openldap and sasl verify authentication by getting password from openldap self like it happen in simple binding(userPassword attribute).How can I do it?
There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w secret -H ldap://myhost -b dc=example,dc=com ... All you have to do is to set the userPassword value as plaintext, otherwise the challenge cannot be created. If you want to parse the sasl authentication string to a DN, than you have to define a authz-regexp in in slapd.conf(5) and the user has to have a uid attribute.
-Dieter
I still can not authenticate by using password from userPassword attribute .I also attach 2 configuration files with this email. Are there any missing configuration?
# slapd.conf - Configuration file for LDAP SLAPD ########## # Basics # ########## include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel stats modulepath /usr/local/libexec/openldap moduleload back_hdb moduleload ppolicy ########### # SSL/TLS # ########### #TLSCACertificateFile /CA/cacert.pem TLSCACertificatePath /CA/ TLSCertificateFile /usr/local/etc/openldap/cert/ldap.example.com.cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.example.com.key.pem TLSVerifyClient try ########### # SASL ########### authz-regexp uid=([^,]+).*,cn=auth uid=$1,ou=Users,dc=example,dc=com authz-regexp email=([^,]+),cn=([^,]+).*,c=TH$ uid=$2,ou=Users,dc=example,dc=com sasl-realm example.com sasl-secprops none ########################## # Database Configuration # ########################## database hdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw secret directory /var/lib/ldap/example.com index objectClass eq index cn sub,eq ######## # ACLs # ######## #access to attrs=uid # by anonymous read # by users read access to attrs=userPassword by self write by anonymous auth by * none access to dn.subtree="ou=System,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write by users read
access to * by self write by users read by * none
database hdb suffix "dc=demo,dc=net" rootdn "cn=admin,dc=demo,dc=net" rootpw secret directory /var/lib/ldap/demo.net index objectClass eq index cn eq,sub,pres,approx index uid eq,sub,pres
access to attrs=userPassword by anonymous auth by self write access to dn.sub="dc=demo,dc=net" by dn.sub="dc=demo,dc=net" read
#This is the root of the directory tree dn: dc=example,dc=com description: Example.com, your trusted non-existent corporation. dc: example o: Example.com objectClass: top objectClass: dcObject objectClass: organization
#Subtree for users dn: ou=Users,dc=example,dc=com ou: Users description: Example.com Users objectClass: organizationalUnit
#Subtree of Groups dn: ou=Groups,dc=example,dc=com ou: Groups description: Example.com Groups objectClass: organizationalUnit
#Subtree of System account dn: ou=System,dc=example,dc=com ou: System description: Special accounts used by software applications. objectClass: organizationalUnit
# #USERS #
#Matt Butcher dn: uid=matt,ou=Users,dc=example,dc=com ou: Users #Name info: uid: matt cn: Matt Butcher sn: Butcher givenName: Matt givenName: Matthew displayName: Matt Butcher #Work info: title: System Integrator description: System Integration and IT for Example.com employeeType: Employee departmentNumber: 001 employeeNumber: 001-08-98 mail: mbutcher@example.com mail: matt@example.com roomNumber: 301 telephoneNumber: +1 555 555 4321 mobile: +1 555 555 6789 st: Illinois l: Chicago street: 1234 Cicero Ave. #Home info: homePhone: +1 555 555 9876 homePostalAddress: 1234 home street $ Chicago,IL $ 60699-1234 #Misc: userPassword: secret preferredLanguage: en-us:en-gb #Object Classes: objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson
#Barbara Jensen: dn: uid=barbara,ou=Users,dc=example,dc=com ou: Users uid: barbara sn: Jensen cn: Barbara Jensen givenName: Barbara displayName: Barbara Jensen mail: barbara@example.com userPassword: 12345 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson
#LDAP Admin Group: dn: cn=Ldap Admins,ou=Groups,dc=example,dc=com cn: Ldap Admins ou: Groups description: Users who are LDAP Administrators uniqueMember: uid=barbara,dc=example,dc=com uniqueMember: uid=matt,dc=example,dc=com objectClass: groupOfUniqueNames
#Special Account for Authentication: dn: uid=authenticate,ou=System,dc=example,dc=com uid: authenticate ou: System description: Special account for authenticating users userPassword: secret objectClass: account objectClass: simpleSecurityObject