6.3. SASL Configuration: Digest-MD5
I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've followed strictly the steps listed bellow:
Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading, I've just followed the instructions listed on the file docs/index.html under the directory where I've unpacked the .tar.gz bundle.
After unpacking you can run the suggested:
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#../dist/configure root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make install
Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of attention, you need to run the configure script using some env parameters:
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure
The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories where Berkeley BDB was installed.
After that you can run the suggested:
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make install root@rdnt03:/usr/local/cyrus-sasl-2.1.17#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running the configure script the same way as SASL's configure:
root@rdnt03:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure
After that, I've run the suggested:
root@rdnt03:/usr/local/openldap-2.2.5#make depend root@rdnt03:/usr/local/openldap-2.2.5#make root@rdnt03:/usr/local/openldap-2.2.5#make install
Next, I've created the sasl user database:
root@rdnt03:~# saslpasswd2 -c admin
You'll be prompted for a password. Remember that the username should not be a DN (distinguished name). Also remember to use the same password as your admin entry on the directory tree.
Now, you should set the sasl-regexp directive in the slapd.conf file before starting the slapd daemon and testing the authentication. My slapd.conf file resides at /usr/local/etc/openldap:
sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever
This parameter is in the format of:
uid=<username>,cn=<realm>,cn=<mech>,cn=auth
The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:
root@rdnt03:~# sasldblistusers2 admin@rdnt03: userPassword admin@rdnt03: cmusaslsecretOTP
In my case, rdnt03 is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:
dn: o=Ever o: Ever description: Organization Root objectClass: top objectClass: organization dn: ou=Staff, o=Ever ou: Staff description: These are privileged users that can interact with Organization products objectClass: top objectClass: organizationalUnit dn: ou=People, o=Ever ou: People objectClass: top objectClass: organizationalUnit dn: uid=admin, ou=Staff, o=Ever uid: admin cn: LDAP Adminstrator sn: admin userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= objectClass: Top objectClass: Person objectClass: Organizationalperson objectClass: Inetorgperson dn: uid=admin,ou=People,o=Ever objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= displayName: admin mail: admin@eversystems.com.br uid: admin cn: Administrator sn: admin
Add the entries to your LDAP directory using the following command:
slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
Now, start the slapd daemon and run a query using the ldapsearch command:
root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: admin@rdnt03 SASL SSF: 128 SASL installing layers ... Entries ...
That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at http://www.openldap.org/doc/admin22/sasl.html. This link assumes you've already managed to install and configure the SASL library. The mailing lists will help you get going with this matter: http://asg.web.cmu.edu/sasl/index.html#mailinglists