Thanks Dieter,
Our ldap is compiled with sasl, but I don't think I asked the question
correctly.
Sun One must be doing the MD5 (or whatever) encryption locally and applying the
userPassword that way. I just have to specify what I want via the
supportedSaslMechanisms attribute. Openldap does not like this.
[Our] Openldap is defaulting to plaintext, and I wanted to apply a better
default - at least MD5, and I wanted to be able to override plaintext during
the user add process shown below using net ldap. Doing this I can have
different encryptions for different users or user types on the same ldap,
though I'm not sure why I would do this.
I did not find anything I could configure on ldap as a better default so I will
encrypt the password and specify the encrypted version during the user add.
There are two ways I found I can to do this:
1. use the slappasswd utility to create the password
$userpass = qx!/usr/local/sbin/slappasswd -s $clearpass -h {MD5}!;
2. This excellent help:
http://blog.gauner.org/blog/2010/12/19/handling-salted-passwords-in-perl/ using
the ldap_md5 subroutine (I'm sure the others work just as well)
$userpass = "{MD5}" . pad_base64( Digest::MD5::md5_base64($clearpass) );
Then pass then as shown below. Both work great, though I'm sure there is
something to be cautious about.
I guess I was hoping for an answer where my second solution was in some way
supported in net ldap. I'm not sure this is possible, or practical.
Mike
-----Original Message-----
From: Dieter Klünter [mailto:die...@dkluenter.de]
Sent: Sunday, October 12, 2014 2:36 AM
To: perl-ldap@perl.org
Subject: Re: supportedSaslMechanisms during ADD
Am Thu, 9 Oct 2014 13:51:33 +0000
schrieb "VANOLE, MICHAEL J" <mv5...@att.com>:
> Greetings,
>
> This might be more of an ldap question, but I’m going to try this
> list.
>
> I use net ldap to create new users on Sun One Directory v7 (ODSEE),
> and on openldap.
>
> With ODSEE I’m able to specify which sasl mechanism I want a user to
> have like so:
>
> $adduser = $ldap->add( $user_dn,
> attr => [
> 'uid' => $ldap_uid,
> 'cn' =>
> "$ldap_last_name $ldap_first_name", 'givenname'
> => $ldap_first_name, 'sn' =>
> $ldap_last_name, 'objectclass' =>
> ['top','person','organizationalPerson','inetorgperson'],
> 'userpassword' => $userpass,
> 'nsaccountlock' => 'false',
> 'supportedsaslmechanisms' =>
> 'cn=default,cn=DIGEST-MD5,cn=identity mapping,cn=config' ]);
>
> With openldap this fails with a message about sasl mechanism can only
> be applied to rootdse. I have several supported mechanisms I can
> choose from. Part of the problem might be I don’t know the ‘cn’ for
> them as I have above, so I tried this:
>
> $adduser = $ldap->add( $user_dn,
> attr => [
> 'uid' => $ldap_uid,
> 'cn' =>
> "$ldap_last_name $ldap_first_name", 'givenname'
> => $ldap_first_name, 'sn' =>
> $ldap_last_name, 'objectclass' =>
> ['top','person','organizationalPerson','inetorgperson'],
> 'userpassword' => $userpass,
> 'supportedsaslmechanisms' => 'DIGEST-MD5' ]);
>
> Should this work with openldap if I had the full hierarchy path the
> the sasl mechanism? What would that be on openldap if so?
If OpenLDAP has been compiled with cyrus-sasl, sasl mechanism are
declared in $HOME/sasl2/slapd.conf. On Linux this would
be /usr/lib/sasl2/slapd.conf or /etc/sasl2/slapd.conf. Read the
cyrus-sasl docs
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/sysadmin.php
and openldap docs
http://www.openldap.org/doc/admin24/sasl.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
