Hi, I am trying to install OpenLdap with SASL. The version of openldap i installed is openldap-2.4.16 whereas the cyrus-sasl version installed is cyrus-sasl-2.1.23. The BerkeleyDB version installed is 4.4.
I followed the guidance in this link to do the installation : http://tldp.org/HOWTO/LDAP-HOWTO/sasl.html However, when i tried to add users defined in ldif file, I received ldap_sasl_interactive_bind_s: Invalid credentials (49) error when i keyed in the password generated for admin using saslpasswd2 command. I have a few questions:
1. After using saslpasswd2 to create the username and password in sasl database, do i need to add the entry into ldap database with slappasswd command? When i used slapadd command and it prompts for password, does it authenticate against sasl database or ldap database?
2. Do i need to issue saslpasswd2 for each and every user that i want to add into ldap database and to be authenticated via ldap? 3. In the slapd.conf file, under rootpw, am i supposed to use the word "secret" or the cleartext password that i keyed in using saslpasswd2 or some encrypted password?
4. What is the difference between sasl-regexp and authz-regexp? 5. Let's say i issued saslpasswd2 -c admin to create admin as the LDAP administrator. Does this mean in the slapd.conf, the rootdn should be admin or can it be another name, that will be mapped via sasl-regexp/authz-regexp? (Which does it use anyway between these 2 : sasl-regexp & authz-regexp?)
6. Previously I set up without sasl and it was rather straightforward, merely using slappasswd and save the encyrpted pasword into slapd.conf. Now, i am totally lost with its concept. I do know that names in ldap database has to be mapped to the names in sasl database. Hopefully you can enlighten me on the whole concept and how the configuration should be done.
Thank you. Hope to receive some advice and guidance.
Seau Yeen Su wrote:
- After using saslpasswd2 to create the username and password in sasl
database, do i need to add the entry into ldap database with slappasswd command? When i used slapadd command and it prompts for password, does it authenticate against sasl database or ldap database?
I assume you're talking about SASL bind with password-based mechs.
It depends whether you want in-directory passwords (mainly userPassword with clear-text password as attribute value) or not.
- Do i need to issue saslpasswd2 for each and every user that i want to
add into ldap database and to be authenticated via ldap?
Only if you don't store the passwords in the directory.
- In the slapd.conf file, under rootpw, am i supposed to use the word
"secret" or the cleartext password that i keyed in using saslpasswd2 or some encrypted password?
As values for attribute userPassword rootpw can be hashed or clear-text. If you also want to bind as rootdn with SASL bind with mech CRAM-MD5 or DIGEST-MD5 then it has to be clear-text. Otherwise it can be hashed (e.g. generated/hashed with command-line tool slappasswd).
- What is the difference between sasl-regexp and authz-regexp?
authz-regexp is the recent keyword in slapd.conf for this.
Example:
authz-regexp "uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5),cn=auth" "ldap:///ou=schulung??sub?(uid=$1)"
- Let's say i issued saslpasswd2 -c admin to create admin as the LDAP
administrator. Does this mean in the slapd.conf, the rootdn should be admin or can it be another name, that will be mapped via sasl-regexp/authz-regexp? (Which does it use anyway between these 2 : sasl-regexp & authz-regexp?)
SASL bind with digest password mech only knows a plain user-ID. So you need an appropriate authz-regexp in slapd.conf to map it to a DN of an existing entry.
- Previously I set up without sasl and it was rather straightforward,
merely using slappasswd and save the encyrpted pasword into slapd.conf.
If you used a hashed password in rootpw and you did nothing else then I doubt you could use that with SASL/DIGEST-MD5 bind.
Don't forget to double check the access control rule for userPassword. Should contain a clause to grant auth access to anyone.
Example:
access to attrs=userPassword by group="cn=Password Admins,ou=Groups,ou=schulung" =wx by self =wx by * =x
Ciao, Michael.
Hi Michael, thank you so much for your respond. 1. Yes, i am talking about SASL bind with password-based mechs. What do you mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes? Can you give an example? It should be in slapd.conf, i assume.
2. Again, what do you mean by the directory? What is the best practice if i want to implement SASL bind with my openldap? Can you advise please.
3. Can you give an example of slapd.conf with configuration for a digest-MD5 SASL authenticaion method? I am pretty lost now. All that you mention i have read before but i just don't know how to piece them all together.
4. I didn't put hash-ed password in slapd.conf. But, the clear text password will be the actual password for the ldap admin? For, eg, if i set rootpw to admin, the password i provide when ldap prompts for password, should be "admin"?
5. What do you mean by grant access to users? Can you please explain more?
I am really lost, hopefully you can assist and guide me, thanks in advance, Michael.
2009/6/27 Michael Ströder michael@stroeder.com
Seau Yeen Su wrote:
- After using saslpasswd2 to create the username and password in sasl
database, do i need to add the entry into ldap database with slappasswd command? When i used slapadd command and it prompts for password, does it authenticate against sasl database or ldap database?
I assume you're talking about SASL bind with password-based mechs.
It depends whether you want in-directory passwords (mainly userPassword with clear-text password as attribute value) or not.
- Do i need to issue saslpasswd2 for each and every user that i want to
add into ldap database and to be authenticated via ldap?
Only if you don't store the passwords in the directory.
- In the slapd.conf file, under rootpw, am i supposed to use the word
"secret" or the cleartext password that i keyed in using saslpasswd2 or some encrypted password?
As values for attribute userPassword rootpw can be hashed or clear-text. If you also want to bind as rootdn with SASL bind with mech CRAM-MD5 or DIGEST-MD5 then it has to be clear-text. Otherwise it can be hashed (e.g. generated/hashed with command-line tool slappasswd).
- What is the difference between sasl-regexp and authz-regexp?
authz-regexp is the recent keyword in slapd.conf for this.
Example:
authz-regexp "uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5),cn=auth" "ldap:///ou=schulung??sub?(uid=$1)"
- Let's say i issued saslpasswd2 -c admin to create admin as the LDAP
administrator. Does this mean in the slapd.conf, the rootdn should be admin or can it be another name, that will be mapped via sasl-regexp/authz-regexp? (Which does it use anyway between these 2 : sasl-regexp & authz-regexp?)
SASL bind with digest password mech only knows a plain user-ID. So you need an appropriate authz-regexp in slapd.conf to map it to a DN of an existing entry.
- Previously I set up without sasl and it was rather straightforward,
merely using slappasswd and save the encyrpted pasword into slapd.conf.
If you used a hashed password in rootpw and you did nothing else then I doubt you could use that with SASL/DIGEST-MD5 bind.
Don't forget to double check the access control rule for userPassword. Should contain a clause to grant auth access to anyone.
Example:
access to attrs=userPassword by group="cn=Password Admins,ou=Groups,ou=schulung" =wx by self =wx by * =x
Ciao, Michael.
Seau Yeen Su seauyeen@mgrc.com.my writes:
Hi Michael, thank you so much for your respond.
- Yes, i am talking about SASL bind with password-based mechs. What do you
mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes? Can you give an example? It should be in slapd.conf, i assume.
No, userPassword is an attribute type.
- Again, what do you mean by the directory? What is the best practice if i
want to implement SASL bind with my openldap? Can you advise please.
1. add the following attribute to cn=config olcAuthzRegexp:{0}"uid=(.*),cn=.*,cn=auth" "ldap:///dc=example,dc=com??sub?uid=$1"
2. SASL requires the attribute type 'uid', if your user entries don't have this attribute assigned to, add it, this may require the additional objectclass uidobject if your user entries do not belong to objectclass inetOrgPerson
3. In order to verify the SASL mechanism challenge, the value of userPassword has to be plaintext. To ensure this add something like olcPasswordHash: {CLEARTEXT} to cn=config
3. Try something like 'ldapwhoami -Y digest-md5 -U someUser -w secret -H ldap://your.host' The result should be the DN of someUser
[...]
Seau Yeen Su wrote:
- Yes, i am talking about SASL bind with password-based mechs. What do
you mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes?
The userPassword attribute is an attribute like any other attribute within the user's directory entry.
See entry
- Again, what do you mean by the directory?
Well, simply your LDAP server with the database.
- Can you give an example of slapd.conf with configuration for a
digest-MD5 SASL authenticaion method? I am pretty lost now. All that you mention i have read before but i just don't know how to piece them all together.
Well, I don't want to be rude but you should probably do some more reading. I've attached a tar.gz with a testbed configuration I've prepared for SASL testing with the CAS SSO project. But judging from some of your questions it seems you might also be lost with this.
For, eg, if i set rootpw to admin, the password i provide when ldap prompts for password, should be "admin"?
Yes, then the password is simply "admin" and you should be able to use SASL/DIGEST-MD5 bind.
- What do you mean by grant access to users? Can you please explain more?
You should read about access control: http://www.openldap.org/doc/admin24/access-control.html http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
Hi , Thanks for the documents. I seriously need more documentation to read but it's a bit hard to find useful documents. Let me go through them first.
2009/6/29 Michael Ströder michael@stroeder.com
Seau Yeen Su wrote:
- Yes, i am talking about SASL bind with password-based mechs. What do
you mean by in-directory passwords? Where are the in-directory passwords stored? How do i set userPassword attributes?
The userPassword attribute is an attribute like any other attribute within the user's directory entry.
See entry
- Again, what do you mean by the directory?
Well, simply your LDAP server with the database.
- Can you give an example of slapd.conf with configuration for a
digest-MD5 SASL authenticaion method? I am pretty lost now. All that you mention i have read before but i just don't know how to piece them all together.
Well, I don't want to be rude but you should probably do some more reading. I've attached a tar.gz with a testbed configuration I've prepared for SASL testing with the CAS SSO project. But judging from some of your questions it seems you might also be lost with this.
For, eg, if i set rootpw to admin, the password i provide when ldap prompts for password, should be "admin"?
Yes, then the password is simply "admin" and you should be able to use SASL/DIGEST-MD5 bind.
- What do you mean by grant access to users? Can you please explain
more?
You should read about access control: http://www.openldap.org/doc/admin24/access-control.html http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Kluenter -
Michael Ströder -
Seau Yeen Su