Hallo Michael, Am Sat, 08 Feb 2014 11:45:52 +0100 schrieb Michael Ströder <[email protected]>:
> HI! > > I'd like let users authenticate via SASL/PLAIN or SASL/LOGIN so they > do not have to deal with full bind-DNs, my client does not have to > search the user and to avoid slapo-rwm. > > Yes, the connection is protected with TLS. > Later it has to work with hashed userPassword values. > It should be feasible. Or not? > > Test system: > latest OpenLDAP RE24 > cyrus-sasl-2.1.25-28.1.2.x86_64 shipped with openSUSE 13.1 > > In my test setup everything works with DIGEST-MD5 but not with PLAIN > or LOGIN (clear-text userPassword value for testing). > The log shows that the SASL username gets mapped by authz-regexp to > the correct LDAP user entry: > > 52f60408 <==slap_sasl2dn: Converted SASL name to > uid=user,ou=dept,o=example 52f60408 slap_sasl_getdn: dn:id converted > to uid=user,ou=dept,o=example > > But SASL does not use "pwcheck_method: slapd" for mechs PLAIN/LOGIN > but works with DIGEST-MD5: > > $ ldapwhoami -H ldapi:/// -Y DIGEST-MD5 -U user -w secret > SASL/DIGEST-MD5 authentication started > SASL username: user > SASL SSF: 128 > SASL data security layer installed. > dn:uid=user,ou=dept,o=example > $ ldapwhoami -H ldapi:/// -Y LOGIN -U user -w secret > SASL/LOGIN authentication started > ldap_sasl_interactive_bind_s: Authentication method not supported (7) > additional info: SASL(-4): no mechanism available: checkpass > failed $ ldapwhoami -H ldapi:/// -Y PLAIN -U user -w secret > SASL/PLAIN authentication started > ldap_sasl_interactive_bind_s: Authentication method not supported (7) > additional info: SASL(-4): no mechanism available: Password > verification failed > > The trace shows for PLAIN or LOGIN > (running slapd -d config,stats,stats2,acl,args,trace): > > SASL [conn=1002] Error: unknown password verifier(s) slapd > > My /usr/lib64/sasl.conf contains: > ---------------------------- snip ---------------------------- > pwcheck_method: slapd > mech_list: plain login digest-md5 external > ---------------------------- snip ---------------------------- > I've checked that this is the right file by setting "pwcheck_method: > foobar" which appears in the logs then. Wrong configuration file. You should configure slapd in /etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external plain login auxprop_plugin: slapd ldapwhoami -Y LOGIN -U mailadmin -w secret -H ldapi:/// SASL/LOGIN authentication started SASL username: mailadmin SASL SSF: 0 dn:cn=mailadmin,o=avci,c=de -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
