On 10/02/13 09:08 -0400, btb wrote:
i've enabled the plain sasl mech, and testing with ldapwhoami works,
but only if the userpassword is left as plaintext. if hashing [ssha]
is used, it fails. a simple bind succeeds. what am i doing wrong?
ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx'
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password verification failed
524b7989 ==>slap_sasl2dn: converting SASL name
uid=flash,cn=plain,cn=auth to a DN
524b7989 ==> rewrite_context_apply [depth=1]
string='uid=flash,cn=plain,cn=auth'
524b7989 ==> rewrite_rule_apply
rule='uid=([^,]*),cn=digest-md5,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_context_apply [depth=1]
res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}
524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->
"uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 slap_parseURI: parsing
uid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
524b7989 <==slap_sasl2dn: Converted SASL name to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
libsasl2, with default configuration, requires that the password be stored
in cleartext, even for PLAIN.
To support {ssha} in this scenario, I recommend you configure your SASL
slapd.conf file to authenticate against saslauthd, which in turn should be
configured to perform ldap simple (non-sasl) authentication against slapd.
Think of it as a two-level deep recursive authentication.
Create a slapd.conf SASL file (e.g. /usr/lib/sasl2/slapd.conf) with these
contents:
pwcheck_method: saslauthd
# Disallow shared secret mechanisms
mech_list: PLAIN LOGIN GSSAPI EXTERNAL
Run saslauthd with the ldap backend. Run in debug mode to trouble shoot.
If slapd is running non-root, modify the permissions to the saslauthd mux
(e.g. /var/run/saslauthd/mux) to allow slapd to access it.
See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php
The saslauthd manpage
saslauthd/LDAP_SASLAUTHD (in the cyrus sasl source)
--
Dan White
