Hallo Michael,
Am Sat, 08 Feb 2014 11:45:52 +0100
schrieb Michael Ströder <michael(a)stroeder.com>:
HI!
I'd like let users authenticate via SASL/PLAIN or SASL/LOGIN so they
do not have to deal with full bind-DNs, my client does not have to
search the user and to avoid slapo-rwm.
Yes, the connection is protected with TLS.
Later it has to work with hashed userPassword values.
It should be feasible. Or not?
Test system:
latest OpenLDAP RE24
cyrus-sasl-2.1.25-28.1.2.x86_64 shipped with openSUSE 13.1
In my test setup everything works with DIGEST-MD5 but not with PLAIN
or LOGIN (clear-text userPassword value for testing).
The log shows that the SASL username gets mapped by authz-regexp to
the correct LDAP user entry:
52f60408 <==slap_sasl2dn: Converted SASL name to
uid=user,ou=dept,o=example 52f60408 slap_sasl_getdn: dn:id converted
to uid=user,ou=dept,o=example
But SASL does not use "pwcheck_method: slapd" for mechs PLAIN/LOGIN
but works with DIGEST-MD5:
$ ldapwhoami -H ldapi:/// -Y DIGEST-MD5 -U user -w secret
SASL/DIGEST-MD5 authentication started
SASL username: user
SASL SSF: 128
SASL data security layer installed.
dn:uid=user,ou=dept,o=example
$ ldapwhoami -H ldapi:/// -Y LOGIN -U user -w secret
SASL/LOGIN authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: checkpass
failed $ ldapwhoami -H ldapi:/// -Y PLAIN -U user -w secret
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: Password
verification failed
The trace shows for PLAIN or LOGIN
(running slapd -d config,stats,stats2,acl,args,trace):
SASL [conn=1002] Error: unknown password verifier(s) slapd
My /usr/lib64/sasl.conf contains:
---------------------------- snip ----------------------------
pwcheck_method: slapd
mech_list: plain login digest-md5 external
---------------------------- snip ----------------------------
I've checked that this is the right file by setting "pwcheck_method:
foobar" which appears in the logs then.
Wrong configuration file. You should configure slapd
in /etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external plain login
auxprop_plugin: slapd
ldapwhoami -Y LOGIN -U mailadmin -w secret -H ldapi:///
SASL/LOGIN authentication started
SASL username: mailadmin
SASL SSF: 0
dn:cn=mailadmin,o=avci,c=de
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E