Bernard McAuley wrote:
Hi,I have set up a simple OPENLDAP server and I want to begin as I mean to go on and keep the setup secure. To this end I want the rootdn to be set to bind via SASL. According to the administrators guide this can be achieved by setting the DN to be of the form: uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth. I've done this but when I attempt an ldapsearch I get the following:- ldapsearch -U user supportedSASLMechanisms SASL/DIGEST-MD5 authentication started Please enter your password: <password> ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database But when I test the sasl account using testsaslauthd I get the following:- /usr/sbin/testsaslauthd -u user -p secret -s slapd 0: OK "Success." Looking into the logs it appears that ldap never really gets around to authenticating properly with SASL, but instead appears to be trying to local an entry in the LDAP database to authenticate against (the database is of course empty at this point!). Snippets of the logs and my slapd.conf file are below. Any suggestions would be appreciated.
1) saslauthd is not used by default. You need to read the SASL documentation, and put the appropriate config directives into /usr/lib/sasl2/slapd.conf if you actually want to use it.
2) saslauthd only supports cleartext authentication, not secure mechanisms like DIGEST-MD5. For achieving security, saslauthd is pretty much worthless and should not be used.
3) Since OpenLDAP 2.3.6 you can perform secure SASL binds using a plaintext rootpw in slapd.conf; this capability is not present in earlier releases.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
