On 23/09/10 12:27 -0500, Erik Lotspeich wrote:

I have an OpenLDAP installation that I use as an addressbook. I do not use OpenLDAP for authentication on my network. I am using it on an internal network with anonymous read-only access.

I would like to require user-level authentication and I would like to authenticate access to the LDAP database using system users in /etc/passwd. Is this possible?

Yes. How flexible that support may be depends on whether or not LDAPv3 is supported by your addressbook LDAP client (see below).

For authorization, I would like a few users to have read/write access and others to be read-only. I would like to disallow anonymous access to the database.

I do:

access to dn.base="" by * read

(which is necessary for SASL)

and then a catchall of:

access to * . . . by self read by * none

And above those two statements I have several more specific ACLs where needed, such as ACLs for accessing address books based on group membership.

I have SSL/TLS set up now and that works; I would like to be able to turn off all non-SSL access to the database once the authentication/authorization is set up.

I don't know the best way to accomplish that.

You can authenticate against PAM by using saslauthd. Assuming that your client supports LDAPv3, you can authentication against saslauthd by way of SASL binds using the PLAIN (or LOGIN) mechanism.

You'll need to create/edit /usr/lib/sasl2/slapd.conf (or /etc/sasl2/slapd.conf depending on your SASL version and operating system defaults). Note that this is the SASL slapd.conf config file, not the OpenLDAP slapd.conf configuration file. Its contents might be:

pwcheck_method: saslauthd mech_list: plain login gssapi external auxprop_plugin: slapd (not necessary on newer versions of openldap)

You will need to install saslauthd and start it with a '-a pam' option. If your slapd process does not run as the root user, you will need to verify that the user or group that your slapd process runs as can access the saslauthd unix domain socket, typically found somewhere underneath /var.

SASL binds using PLAIN should then authentication against pam (with a pam service name of 'slapd').

To allow plaintext SASL authentication, you'll need:

sasl-secprops none

in your openldap config (not your sasl config)

To test your saslauthd/pam authentication outside of slapd, try:

testsaslauthd -u username -p password -s slapd

If that works, then:

ldapwhoami -Y plain -U username -H ldap://ldap.example.com

should also.

If so, your authentication identity will probably be something like:

uid=username,cn=plain,cn=auth

See chapter 15 of the OpenLDAP Software 2.4 Administrator's Guide on how to map such identities to DNs within your directory, which you may or may not wish to do.

If your clients do not support LDAPv3, but instead require simple binds for authentication, you'd have to create LDAP entries for all your users, and insert a userPassword attribute into each entry with the format of:

userPassword: {SASL}username@domainname

You'll also need to have compiled your slapd with the --enable-spasswd configure option.