Hi Michael, thank you so much for your respond. 1. Yes, i am talking about SASL bind with password-based mechs. What do you mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes? Can you give an example? It should be in slapd.conf, i assume.
2. Again, what do you mean by the directory? What is the best practice if i want to implement SASL bind with my openldap? Can you advise please.
3. Can you give an example of slapd.conf with configuration for a digest-MD5 SASL authenticaion method? I am pretty lost now. All that you mention i have read before but i just don't know how to piece them all together.
4. I didn't put hash-ed password in slapd.conf. But, the clear text password will be the actual password for the ldap admin? For, eg, if i set rootpw to admin, the password i provide when ldap prompts for password, should be "admin"?
5. What do you mean by grant access to users? Can you please explain more?
I am really lost, hopefully you can assist and guide me, thanks in advance, Michael.
2009/6/27 Michael Ströder michael@stroeder.com
Seau Yeen Su wrote:
- After using saslpasswd2 to create the username and password in sasl
database, do i need to add the entry into ldap database with slappasswd command? When i used slapadd command and it prompts for password, does it authenticate against sasl database or ldap database?
I assume you're talking about SASL bind with password-based mechs.
It depends whether you want in-directory passwords (mainly userPassword with clear-text password as attribute value) or not.
- Do i need to issue saslpasswd2 for each and every user that i want to
add into ldap database and to be authenticated via ldap?
Only if you don't store the passwords in the directory.
- In the slapd.conf file, under rootpw, am i supposed to use the word
"secret" or the cleartext password that i keyed in using saslpasswd2 or some encrypted password?
As values for attribute userPassword rootpw can be hashed or clear-text. If you also want to bind as rootdn with SASL bind with mech CRAM-MD5 or DIGEST-MD5 then it has to be clear-text. Otherwise it can be hashed (e.g. generated/hashed with command-line tool slappasswd).
- What is the difference between sasl-regexp and authz-regexp?
authz-regexp is the recent keyword in slapd.conf for this.
Example:
authz-regexp "uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5),cn=auth" "ldap:///ou=schulung??sub?(uid=$1)"
- Let's say i issued saslpasswd2 -c admin to create admin as the LDAP
administrator. Does this mean in the slapd.conf, the rootdn should be admin or can it be another name, that will be mapped via sasl-regexp/authz-regexp? (Which does it use anyway between these 2 : sasl-regexp & authz-regexp?)
SASL bind with digest password mech only knows a plain user-ID. So you need an appropriate authz-regexp in slapd.conf to map it to a DN of an existing entry.
- Previously I set up without sasl and it was rather straightforward,
merely using slappasswd and save the encyrpted pasword into slapd.conf.
If you used a hashed password in rootpw and you did nothing else then I doubt you could use that with SASL/DIGEST-MD5 bind.
Don't forget to double check the access control rule for userPassword. Should contain a clause to grant auth access to anyone.
Example:
access to attrs=userPassword by group="cn=Password Admins,ou=Groups,ou=schulung" =wx by self =wx by * =x
Ciao, Michael.