Hallo Michael,
Am Sat, 08 Feb 2014 11:45:52 +0100 schrieb Michael Ströder michael@stroeder.com:
HI!
I'd like let users authenticate via SASL/PLAIN or SASL/LOGIN so they do not have to deal with full bind-DNs, my client does not have to search the user and to avoid slapo-rwm.
Yes, the connection is protected with TLS. Later it has to work with hashed userPassword values. It should be feasible. Or not?
Test system: latest OpenLDAP RE24 cyrus-sasl-2.1.25-28.1.2.x86_64 shipped with openSUSE 13.1
In my test setup everything works with DIGEST-MD5 but not with PLAIN or LOGIN (clear-text userPassword value for testing). The log shows that the SASL username gets mapped by authz-regexp to the correct LDAP user entry:
52f60408 <==slap_sasl2dn: Converted SASL name to uid=user,ou=dept,o=example 52f60408 slap_sasl_getdn: dn:id converted to uid=user,ou=dept,o=example
But SASL does not use "pwcheck_method: slapd" for mechs PLAIN/LOGIN but works with DIGEST-MD5:
$ ldapwhoami -H ldapi:/// -Y DIGEST-MD5 -U user -w secret SASL/DIGEST-MD5 authentication started SASL username: user SASL SSF: 128 SASL data security layer installed. dn:uid=user,ou=dept,o=example $ ldapwhoami -H ldapi:/// -Y LOGIN -U user -w secret SASL/LOGIN authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: checkpass failed $ ldapwhoami -H ldapi:/// -Y PLAIN -U user -w secret SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Password verification failed
The trace shows for PLAIN or LOGIN (running slapd -d config,stats,stats2,acl,args,trace):
SASL [conn=1002] Error: unknown password verifier(s) slapd
My /usr/lib64/sasl.conf contains: ---------------------------- snip ---------------------------- pwcheck_method: slapd mech_list: plain login digest-md5 external ---------------------------- snip ---------------------------- I've checked that this is the right file by setting "pwcheck_method: foobar" which appears in the logs then.
Wrong configuration file. You should configure slapd in /etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external plain login auxprop_plugin: slapd ldapwhoami -Y LOGIN -U mailadmin -w secret -H ldapi:/// SASL/LOGIN authentication started SASL username: mailadmin SASL SSF: 0 dn:cn=mailadmin,o=avci,c=de
-Dieter