Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is
missing.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer
Installed SASL (server side) mechanisms are:
CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL
...
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 4
supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled.
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
The package has been installed and the below files are there:
libldapdb.la
libldapdb.so.2.0.22
libldapdb.so.2
libldapdb.so
Please help me, how to set SASL using ldap directory.
Thks for your help.
Regards,
Gaurav Gugnani
On Tue, Feb 7, 2012 at 11:01 AM, Gaurav Gugnani <[email protected]>wrote:
> Hello All,
>
> Thks to all for helping me out. i hope now the destination is not too far
> as i achieved the SASL but it is storing using sasldb.
> However, i want it to store information in ldap direcotry.
>
> I've installed the corresponding package:
> cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
>
> Steps for SASL in LDAP using sasldb
> ------------------------------------------------------
>
> 1> saslpasswd2 -c sasluser14
> 2> sasldblistusers2
>
> 3> service ldap stop
>
> 4> vi etc/openldap/slapd.conf
> sasl-auxprops sasldb
>
> authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
> - Give proper ACL to sasluser14
>
> 5> cat /usr/lib64/sasl2/slapd.conf
> # SASL Configuration
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> #auxprop_plugin: slapd
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> sasldb_path: /etc/sasldb2
>
> 6> service ldap start
>
> 7> ps -eaf | grep -i ldap
>
> 8> vi add_sasl_accnt14.ldif
>
> # TEST Account for SASL:
> dn: uid=sasluser14,ou=System,o=xyz
> uid: sasluser14
>
> ou: System
> description: Special account for SASL Testing
> userPassword: sasluser14
> objectClass: account
> objectClass: simpleSecurityObject
>
> 9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
>
> 10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b
> 'uid=sasluser7,ou=system,o=xyz'
>
> But now the problem is - it is storing the users in sasldb. and we want to
> use ldap directory.
> Can any one please suggest - What changes i need to make to achieve it?
>
>
> Thks a lot for your support.
>
> Regards,
> Gaurav Gugnani
>
> On Mon, Feb 6, 2012 at 9:17 PM, Dan White <[email protected]> wrote:
>
>> On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
>>
>>> Hello All,
>>>
>>> Thks for helping me out, however i'm still stuck in middle of it and the
>>> issue has not yet resolved.
>>>
>>
>> You should run your server in debug mode to determine what's going awry.
>>
>> *Error:*
>>>
>>> /u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -Y
>>> DIGEST-MD5 -U
>>> sasluser7 -b 'o=xyz'
>>> SASL/DIGEST-MD5 authentication started
>>> Please enter your password:
>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>> additional info: SASL(-13): user not found: no secret in database
>>>
>>> I checked for ACL and also now i'm using authz with following lines:
>>>
>>> authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth uid=$1,ou=System,o=xyz
>>>
>>> access to attrs="userpassword"
>>> by self write
>>> by anonymous auth
>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>> access to dn.base="o=xyz"
>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>> by users read
>>> access to dn.subtree="ou=Subscribers,o=**xyz"
>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>> access to *
>>> by self write
>>> by dn="uid=sasluser7,ou=System,o=**xyz" read
>>>
>>> I hope it is fine.
>>>
>>
>> I have 'by anonymous auth' on the following:
>>
>> access to dn.base="ou=people,dc=example,**dc=net"
>> access to attrs=userPassword
>> access to attrs=authzTo
>> access to attrs=objectClass
>> access to attrs=entry,uidNumber
>>
>> You could determine if that's sufficient for you piecemeal wise but,
>> again,
>> use debug output to figure it out. For example:
>>
>> slapd -d -1 -h ldap:/// -u openldap -g openldap
>>
>> See the manpage for slapd for details.
>>
>>
>> Moreover, we can say that the user is created:
>>> /u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -W -D
>>> 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=**xyz'
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <uid=sasluser7,ou=System,o=**xyz> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # sasluser7, System, xyz
>>> dn: uid=sasluser7,ou=System,o=xyz
>>> uid: sasluser7
>>> ou: System
>>> description: Special account for SASL Testing
>>> userPassword:: c2FzbVHzZXI3
>>>
>>
>> Be aware that the above is a simple uuencoding of your password. It should
>> now be considered publicly known.
>>
>>
>> objectClass: account
>>> objectClass: simpleSecurityObject
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>> Also, i would like to highlight one thing:
>>>
>>> That when i check for sasl dblist users - it thorws me an error. Can that
>>> be an issue point?
>>> /u01/app/openldap/product/2.4.**26/etc/openldap>**sasldblistusers
>>> -bash: sasldblistusers: command not found
>>>
>>
>> Any of the cyrus sasl* commands are most likely doing the wrong thing,
>> which default to using the sasldb auxprop store (which uses /etc/sasldb2)
>> rather that slapd or ldapdb. I would not use them at this point as they're
>> bound to confuse the matter.
>>
>> --
>> Dan White
>>
>
>
