Re: OpenLDAP as a SASL backend

Sun, 04 Nov 2007 15:53:17 -0800 

I had set up a secured TLS with all the certificates and keys needed. But
still, I cannot login using SASL and PLAIN/LOGIN mechanisms over TLS. The
user in the example has the userPassword hashed in MD5. See errors below:

>ldapsearch -h localhost:9999 -Y PLAIN -w pass1 -U user1 -b
dc=my-domain,dc=com -s base -ZZ
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: Password verification
failed

>ldapsearch -h localhost:9999 -Y LOGIN -w pass1 -U user1 -b
dc=my-domain,dc=com -s base -ZZ
SASL/LOGIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: checkpass failed

Using cleartext password solves the problem but this is not what I am trying
to do.
Just a reminder of what I am trying to achieve: In the database I want the
userPassword field to be hashed and the bind authentication will be against
it using the authz-regexp directive in slapd.conf. Using DIGEST-MD5 SASL
doesn't help here because the userPassword needs to be in cleartext in the
database.

Yet again, any help will be appreciated.
Zohar



On 10/23/07, Dieter Kluenter <[EMAIL PROTECTED]> wrote:
>
> "Zohar Lev Shani" <[EMAIL PROTECTED]> writes:
>
> > OK, got that.
> >
> > Now I am trying a different SASL configuration, and I have these
> > mechanisms available:
> >
> >> ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base
> -LLL
> > dn:
> > supportedSASLMechanisms: LOGIN
> > supportedSASLMechanisms: PLAIN
> >
> > With the same data, I tried running ldapsearch with SASL and got that
> > there are no SASL mechanisms available.
> >
> >> ldapsearch -h localhost:9999 -Y PLAIN -U user1 -w pass1 -LLL -b
> cn=user1,cn=users,dc=my-domain,dc=com
> > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> >         additional info: SASL(-4): no mechanism available: No worthy
> mechs found
> >
> > Same goes for '-Y LOGIN'.
> >
> > What am I missing here?
>
> OpenLDAP only supports PLAIN and LOGIN if data transport is secured
> that is either by TLS or local pipe. Install sasl libdigestmd5 and
> libcrammd5 to provide shared secret security.
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://www.dkluenter.de
> GPG Key ID:8EF7B6C6
>

Reply via email to