HI!
I'd like let users authenticate via SASL/PLAIN or SASL/LOGIN so they do not have to deal with full bind-DNs, my client does not have to search the user and to avoid slapo-rwm.
Yes, the connection is protected with TLS. Later it has to work with hashed userPassword values. It should be feasible. Or not?
Test system: latest OpenLDAP RE24 cyrus-sasl-2.1.25-28.1.2.x86_64 shipped with openSUSE 13.1
In my test setup everything works with DIGEST-MD5 but not with PLAIN or LOGIN (clear-text userPassword value for testing). The log shows that the SASL username gets mapped by authz-regexp to the correct LDAP user entry:
52f60408 <==slap_sasl2dn: Converted SASL name to uid=user,ou=dept,o=example 52f60408 slap_sasl_getdn: dn:id converted to uid=user,ou=dept,o=example
But SASL does not use "pwcheck_method: slapd" for mechs PLAIN/LOGIN but works with DIGEST-MD5:
$ ldapwhoami -H ldapi:/// -Y DIGEST-MD5 -U user -w secret SASL/DIGEST-MD5 authentication started SASL username: user SASL SSF: 128 SASL data security layer installed. dn:uid=user,ou=dept,o=example $ ldapwhoami -H ldapi:/// -Y LOGIN -U user -w secret SASL/LOGIN authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: checkpass failed $ ldapwhoami -H ldapi:/// -Y PLAIN -U user -w secret SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Password verification failed
The trace shows for PLAIN or LOGIN (running slapd -d config,stats,stats2,acl,args,trace):
SASL [conn=1002] Error: unknown password verifier(s) slapd
My /usr/lib64/sasl.conf contains: ---------------------------- snip ---------------------------- pwcheck_method: slapd mech_list: plain login digest-md5 external ---------------------------- snip ---------------------------- I've checked that this is the right file by setting "pwcheck_method: foobar" which appears in the logs then.
My slapd.conf contains: ---------------------------- snip ---------------------------- disallow bind_anon require bind LDAPv3 strong
# SSF value for ldapi:// localSSF 256 # minimum required SSF value (security strength factor) security transport=128 sasl=0 # Since we require TLS we can relax this sasl-secprops none,minssf=0 ---------------------------- snip ----------------------------
Any clue?
Ciao, Michael.