Howard Chu wrote:
Hallvard B Furuseth wrote:
Rick Stevens writes:
I'm sure I'm not the only person having this issue, but I absolutely cannot seem to get SASL and LDAP to work. I want SASL to authenticate using the passwords in LDAP, but in the classic chicken-and-egg scenario, you can't talk to LDAP without having SASL working first.
Hmm, this could use a mention in the Admin Guide.
No.
I haven't tried it myself, but: In addition to setting up slapd to use SASL, you must set up SASL to use LDAP. In Cyrus SASL, that is described in doc/install.html: Build with LDAP support (the circular dependency shows up here too), then use the LDAPDB auxprop plugin.
The ldapdb plugin is only needed by other SASL-enabled services that are meant to use LDAP for authentication. It does not deserve mention in the OpenLDAP Admin Guide because it is strictly a SASL administrator's concern. That's also why we moved the ldapdb code from the OpenLDAP source tree into the Cyrus SASL source tree, and why the ldapdb plugin is only documented in the Cyrus SASL documentation. Don't muddy the picture by dragging in irrelevant elements.
For SASL authentication within OpenLDAP software, all of the necessary components are already intrinsic to libldap and slapd.
That's where I'm getting hosed, guys. I know that SUPPOSEDLY it's all there (this is an F8 install). I have all the passwords set up as cleartext in the userPassword attribute. If I try to authenticate as "root" WITHOUT an entry in sasldb for root, the ldapwhoami NEVER authenticates:
[root@prophead ~]# ldapwhoami -w unix__gort SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
So, that's pretty obvious that it's NOT looking in LDAP for the password, isn't it? Now, WITH a password in the sasldb:
[root@prophead ~]# ldapwhoami -w unix__gort SASL/DIGEST-MD5 authentication started SASL username: root SASL SSF: 128 SASL installing layers dn:uid=root,cn=digest-md5,cn=auth Result: Success (0)
So, SASL is happy with an entry in the sasldb, but obviously that DN isn't in the LDAP database. So, I added an authz-regexp:
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=people,ou=People,dc=gbsbilling,dc=com
Now, ldapwhoami gives me:
[root@prophead ~]# ldapwhoami -w unix__gort SASL/DIGEST-MD5 authentication started SASL username: root SASL SSF: 128 SASL installing layers dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com Result: Success (0)
Isn't that grand! That's what I want (I think), but it requires me to put an entry in the sasldb and I don't think that's necessary from what I gather from the docs. However, without it, I can't authenticate at all, and therefore can't even get to LDAP.
That being said, even that doesn't appear to be enough as I have an access rule:
access to attrs=userPassword by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write by dn="cn=manager,dc=gbsbilling,dc=com" write by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write by anonymous auth by self write by * none
and an ldapsearch as the root user (even using the root DN) will NOT display the userPassword fields. It only will display if I include a rule:
by dn="uid=root,cn=digest-md5,cn=auth" write
as the first rule. So, the rewrite isn't being used in the "access to" stuff at all.
I'm sure I'm spectacularly dense on this but in the immortal words of my boss, "what the fark is going on here?" ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - Jimmie crack corn and I don't care...what kind of lousy attitude - - is THAT to have, huh? -- Dennis Miller - ----------------------------------------------------------------------