7:35 a.m.
Hello,
I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
man slapd.conf encourages me into using SASL auth for rootdn instead of
setting the rootpw parameter in slapd.conf.
So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
admin@coruscant: userPassword which is what is expected.
But then I see that the password there is in plain text so I don't
really get the advantage of using SASL then. So I decide to use
saslauthd instead (which in turn will use pam by default).
My problem is that I could not find how to tell openldap to use
saslauthd instead of sasldb.
I tried to add a /usr/lib/sasl2/slapd.conf file with this inside (world
readable):
pwcheck_method: saslauthd
But it seems that this file is not read. I see that ubuntu created a
/etc/ldap/sasl2 directory for me but how could I know if sasl is looking
in it? How does sasl know it has to look for a slapd.conf file and not
openldap.conf or whatever.conf?
Could someone shed some light on this subject for me?
Cheers,
Gildas
7:46 a.m.
Gildas Bayard <gildas.bayard(a)hds.utc.fr> writes:
Hello,
I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
man slapd.conf encourages me into using SASL auth for rootdn instead
of setting the rootpw parameter in slapd.conf.
So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
admin@coruscant: userPassword which is what is expected.
But then I see that the password there is in plain text so I don't
really get the advantage of using SASL then. So I decide to use
saslauthd instead (which in turn will use pam by default).
Why do you want to use saslauthd and sasldb to authenticate rootdn
against slapd? And why do you complain about plaintext passwords in
sasldb? How else could you response to a challenge based on a shared
secret?
My problem is that I could not find how to tell openldap to use
saslauthd instead of sasldb.
[...]
Because in most cases a ldap server maintains its own user database
and password storage. Basics on how to implement SASL you can find in
the Admin Guide
http://www.openldap.org/doc/admin24/sasl.htm
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
7:52 a.m.
* Dieter Kluenter <dieter(a)dkluenter.de>:
Gildas Bayard <gildas.bayard(a)hds.utc.fr> writes:
> Hello,
>
> I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
> man slapd.conf encourages me into using SASL auth for rootdn instead
> of setting the rootpw parameter in slapd.conf.
>
> So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
> admin@coruscant: userPassword which is what is expected.
> But then I see that the password there is in plain text so I don't
> really get the advantage of using SASL then. So I decide to use
> saslauthd instead (which in turn will use pam by default).
Why do you want to use saslauthd and sasldb to authenticate rootdn
against slapd? And why do you complain about plaintext passwords in
sasldb? How else could you response to a challenge based on a shared
secret?
> My problem is that I could not find how to tell openldap to use
> saslauthd instead of sasldb.
[...]
Because in most cases a ldap server maintains its own user database
and password storage. Basics on how to implement SASL you can find in
the Admin Guide
http://www.openldap.org/doc/admin24/sasl.htm
I pretty much gave Gildas the same answer on the Cyrus SASL mailing list ...
p@rick
--
state of mind
Digitale Kommunikation
http://www.state-of-mind.de
Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
9:54 a.m.
Hello,
Indeed it was not clear from the doc whether it was an openldap pb or
a sasl pb so I posted on both lists at the same time.
Well I might be wrong but I think that even in the case of a shared
secret, passwords, which must indeed reside on both sides, can appear
in a somehow encrypted way and not in clear text. And since it is
endeed encrypted when it resides directly in slapd.conf (rootpw
parameter) I don't see the improvement in taking it away from
slpad.conf where it is encrypted to put it in sasldb where it is not.
I've gone through manuals and maybe I missed something but my main
point was "why is my sasl2/slapd.conf ignored". Looking at
sasl_server_init in openldap source code I found that, as expected,
the server name "slapd" is advertised so libsasl2 should look for
slapd.conf (I tried every possible dirs). I'm now investigating the
ubuntu patched sasl sources. If I'm right this is a sasl pb and not
openldap though so sorry if I posted on the wrong list.
Gildas
Patrick Ben Koetter <p(a)state-of-mind.de> a écrit :
* Dieter Kluenter <dieter(a)dkluenter.de>:
> Gildas Bayard <gildas.bayard(a)hds.utc.fr> writes:
>
> > Hello,
> >
> > I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
> > man slapd.conf encourages me into using SASL auth for rootdn instead
> > of setting the rootpw parameter in slapd.conf.
> >
> > So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
> > admin@coruscant: userPassword which is what is expected.
> > But then I see that the password there is in plain text so I don't
> > really get the advantage of using SASL then. So I decide to use
> > saslauthd instead (which in turn will use pam by default).
>
> Why do you want to use saslauthd and sasldb to authenticate rootdn
> against slapd? And why do you complain about plaintext passwords in
> sasldb? How else could you response to a challenge based on a shared
> secret?
>
> > My problem is that I could not find how to tell openldap to use
> > saslauthd instead of sasldb.
> [...]
>
> Because in most cases a ldap server maintains its own user database
> and password storage. Basics on how to implement SASL you can find in
> the Admin Guide
> http://www.openldap.org/doc/admin24/sasl.htm
I pretty much gave Gildas the same answer on the Cyrus SASL mailing list ...
p@rick
--
state of mind
Digitale Kommunikation
http://www.state-of-mind.de
Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666
Amtsgericht München Partnerschaftsregister PR 563
5185
days inactive
5186
days old
openldap-software@openldap.org
3 comments
3 participants
participants (3)
-
Dieter Kluenter -
Gildas Bayard -
Patrick Ben Koetter