6.3. SASL Configuration: Digest-MD5

I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've followed strictly the steps listed bellow:

  • Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading, I've just followed the instructions listed on the file docs/index.html under the directory where I've unpacked the .tar.gz bundle.

    After unpacking you can run the suggested:

    root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#../dist/configure
    root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make
    root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make install
    
  • Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of attention, you need to run the configure script using some env parameters:

    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
    LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure

    The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories where Berkeley BDB was installed.

    After that you can run the suggested:

    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make
    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make install
    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
  • Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running the configure script the same way as SASL's configure:

    root@rdnt03:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
    LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure

    After that, I've run the suggested:

    root@rdnt03:/usr/local/openldap-2.2.5#make depend
    root@rdnt03:/usr/local/openldap-2.2.5#make
    root@rdnt03:/usr/local/openldap-2.2.5#make install
  • Next, I've created the sasl user database:

    root@rdnt03:~# saslpasswd2 -c admin

    You'll be prompted for a password. Remember that the username should not be a DN (distinguished name). Also remember to use the same password as your admin entry on the directory tree.

  • Now, you should set the sasl-regexp directive in the slapd.conf file before starting the slapd daemon and testing the authentication. My slapd.conf file resides at /usr/local/etc/openldap:

    sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever

    This parameter is in the format of:

    uid=<username>,cn=<realm>,cn=<mech>,cn=auth

    The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:

    root@rdnt03:~# sasldblistusers2
    admin@rdnt03: userPassword
    admin@rdnt03: cmusaslsecretOTP

    In my case, rdnt03 is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:

    dn: o=Ever
    o: Ever
    description: Organization Root
    objectClass: top
    objectClass: organization
    
    dn: ou=Staff, o=Ever
    ou: Staff
    description: These are privileged users that can interact with Organization products
    objectClass: top
    objectClass: organizationalUnit
    
    dn: ou=People, o=Ever
    ou: People
    objectClass: top
    objectClass: organizationalUnit
    
    dn: uid=admin, ou=Staff, o=Ever
    uid: admin
    cn: LDAP Adminstrator
    sn: admin
    userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
    objectClass: Top
    objectClass: Person
    objectClass: Organizationalperson
    objectClass: Inetorgperson
    
    dn: uid=admin,ou=People,o=Ever
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
    displayName: admin
    mail: admin@eversystems.com.br
    uid: admin
    cn: Administrator
    sn: admin
    

    Add the entries to your LDAP directory using the following command:

    slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
  • Now, start the slapd daemon and run a query using the ldapsearch command:

    root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
    SASL/DIGEST-MD5 authentication started
    Please enter your password:
    SASL username: admin@rdnt03
    SASL SSF: 128
    SASL installing layers
    ...
    Entries
    ...

That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at http://www.openldap.org/doc/admin22/sasl.html. This link assumes you've already managed to install and configure the SASL library. The mailing lists will help you get going with this matter: http://asg.web.cmu.edu/sasl/index.html#mailinglists

Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout