6.3. SASL Configuration: Digest-MD5I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've
followed strictly the steps listed bellow: Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading,
I've just followed the instructions listed on the file docs/index.html under the directory where I've
unpacked the .tar.gz bundle. After unpacking you can run the suggested: root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#../dist/configure
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make install
|
Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the
document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of
attention, you need to run the configure script using some env parameters: root@rdnt03:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure |
The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories
where Berkeley BDB was installed. After that you can run the suggested: root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make install
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 |
Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running
the configure script the same way as SASL's configure: root@rdnt03:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure |
After that, I've run the suggested: root@rdnt03:/usr/local/openldap-2.2.5#make depend
root@rdnt03:/usr/local/openldap-2.2.5#make
root@rdnt03:/usr/local/openldap-2.2.5#make install |
Next, I've created the sasl user database: root@rdnt03:~# saslpasswd2 -c admin |
You'll be prompted for a password. Remember that the username should not be a DN (distinguished name).
Also remember to use the same password as your admin entry on the directory tree. Now, you should set the sasl-regexp directive in the slapd.conf file before
starting the slapd daemon and testing the authentication. My slapd.conf file resides at
/usr/local/etc/openldap: sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever |
This parameter is in the format of: uid=<username>,cn=<realm>,cn=<mech>,cn=auth The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do: root@rdnt03:~# sasldblistusers2
admin@rdnt03: userPassword
admin@rdnt03: cmusaslsecretOTP |
In my case, rdnt03 is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:
dn: o=Ever
o: Ever
description: Organization Root
objectClass: top
objectClass: organization
dn: ou=Staff, o=Ever
ou: Staff
description: These are privileged users that can interact with Organization products
objectClass: top
objectClass: organizationalUnit
dn: ou=People, o=Ever
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=admin, ou=Staff, o=Ever
uid: admin
cn: LDAP Adminstrator
sn: admin
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
objectClass: Top
objectClass: Person
objectClass: Organizationalperson
objectClass: Inetorgperson
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
displayName: admin
mail: admin@eversystems.com.br
uid: admin
cn: Administrator
sn: admin
|
Add the entries to your LDAP directory using the following command: slapadd -c -l Ever.ldif -f slapd.conf -v -d 256 |
Now, start the slapd daemon and run a query using the ldapsearch command: root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: admin@rdnt03
SASL SSF: 128
SASL installing layers
...
Entries
... |
That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
http://www.openldap.org/doc/admin22/sasl.html. This link assumes you've already managed to install and configure the SASL library.
The mailing lists will help you get going with this matter: http://asg.web.cmu.edu/sasl/index.html#mailinglists |
|