Hello
Anyone has experience using SASL OTP with OpenLDAP?
Here is what I understood so far:
- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be stored in sasldb or in LDAP.
- If OpenLDAP finds a cmusaslsecretOTP attribute for a user, and if the OTP plugin is installed both on the client and the server, then the OTP challenge is presented when requesting the OTP method. That leaves me with two problems: how to set cmusaslsecretOTP in LDAP?
- if I use salspasswd2, it will store cmusaslsecretOTP in sasldb. I can copy paste it to the LDAP directory, which is not very satisfying.
- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf, it seems I can tell salspasswd2 to write to the directory: ldapdb_uri: ldaps://ldap.example.com
I have not fully investigated, but it seems the thing cannot prompt for credentials: DN/password must be stored in salspasswd.conf, which makes multiuser utilization troublesome.
- salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources shows that passwd_extop()/slap_sasl_setpass() does the same. That suggests it is possible to have slapd doing the thing, but how does it works? In passwd_extop(), slap_sasl_setpass() will only be called if op-o_bd is NULL. In what situation does it happen?
- And my last problem is to generate OTP. setkey(1) does not seems to produce something acceptable by SASL OTP. I have to investigate further.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/09/09 10:34 +0000, Emmanuel Dreyfus wrote:
- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be
stored in sasldb or in LDAP.
Correct. Your Cyrus SASL libraries will need to be compiled without the - --with-opie option (which is the default on at least Debian).
- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf,
it seems I can tell salspasswd2 to write to the directory: ldapdb_uri: ldaps://ldap.example.com
I have not fully investigated, but it seems the thing cannot prompt for credentials: DN/password must be stored in salspasswd.conf, which makes multiuser utilization troublesome.
Are you asking how to provide the ldap credentials to update openldap?
You can insert the appropriate SASL credentials into your saslpasswd2.conf file. A simple bind will not work. The options are documented in /doc/options.html within the cyrus sasl source tarball.
I prefer using the EXTERNAL mechanism since I'm always changing passwords on the same host that openldap is on, but any mechanism should be valid (e.g. DIGEST-MD5).
For reference, I have:
$ cat /usr/lib/sasl2/password.conf auxprop_plugin: ldapdb ldapdb_uri: ldapi:/// ldapdb_mech: EXTERNAL
- And my last problem is to generate OTP. setkey(1) does not seems
to produce something acceptable by SASL OTP. I have to investigate further.
'otp-md5' from opie will generate otp responses, but it requires your shared secret to be at least 10 characters (which Cyrus SASL does not require).
- -- Dan White BTC Broadband Ph 918.366.0248 (direct) main: (918)366-8000 Fax 918.366.6610 email: dwhite@olp.net http://www.btcbroadband.com
Dan White dwhite@olp.net wrote:
$ cat /usr/lib/sasl2/password.conf auxprop_plugin: ldapdb ldapdb_uri: ldapi:/// ldapdb_mech: EXTERNAL
That's saslpasswd2.conf and not password.conf, right?
On 04/09/09 19:53 +0200, Emmanuel Dreyfus wrote:
Dan White dwhite@olp.net wrote:
$ cat /usr/lib/sasl2/password.conf auxprop_plugin: ldapdb ldapdb_uri: ldapi:/// ldapdb_mech: EXTERNAL
That's saslpasswd2.conf and not password.conf, right?
We pass a '-a password' for whatever reason in our environment.
saslpassword2.conf is probably correct without the switch.
Dan White dwhite@olp.net wrote:
- And my last problem is to generate OTP. setkey(1) does not seems
to produce something acceptable by SASL OTP. I have to investigate further.
'otp-md5' from opie will generate otp responses, but it requires your shared secret to be at least 10 characters (which Cyrus SASL does not require).
slapd tells me that I have an ACL problem with cmusaslsecretOTP. What access do you grant on it?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/09/09 21:06 +0200, Emmanuel Dreyfus wrote:
slapd tells me that I have an ACL problem with cmusaslsecretOTP. What access do you grant on it?
by anonymous auth by self write by * none
- -- Dan White
Dan White dwhite@olp.net wrote:
by anonymous auth by self write by * none
Ok, it works now. Beyond the ACL issue, I was not correctly generating the OTP with skey(1). I thought md5 was the default, but it seems it's not, since it works with skey -t md5
openldap-software@openldap.org
-
Dan White -
Emmanuel Dreyfus -
manu@netbsd.org