SASL and LDAP problem
Dan White
dwhite at olp.net
Thu Jul 23 11:14:07 EDT 2009
Gildas Bayard wrote:
> Hello,
>
> I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
> man slapd.conf encourages me into using SASL auth for rootdn instead
> of setting the rootpw parameter in slapd.conf.
>
> So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
> admin at coruscant: userPassword which is what is expected.
> But then I see that the password there is in plain text so I don't
> really get the advantage of using sasldb then. So I decide to use
> saslauthd instead (which in turn will use pam by default).
>
> My problem is that I could not find how to tell openldap to use
> saslauthd instead of sasldb.
>
> I tried to add a /usr/lib/sasl2/slapd.conf file with this inside
> (world readable):
> pwcheck_method: saslauthd
>
> But it seems that this file is not read. I see that ubuntu created a
> /etc/ldap/sasl2 directory for me but how could I know if sasl is
> looking in it? How does sasl know it has to look for a slapd.conf file
> and not openldap.conf or whatever.conf? Is it openldap which specifies
> the conf file to use or is it libsasl2?
>
> Could someone shed some light on this subject for me?
That's controlled by the cyrus sasl slapd.conf config file, which should
be located in /usr/lib/sasl2/slapd.conf (create it if it doesn't exist).
Try the following:
pwcheck_method: saslauthd
To me, it makes a lot of sense to use sasl EXTERNAL for admin access.
For instance, in your /etc/ldap/slapd.conf:
rootdn "cn=admin,dc=example,dc=net"
<No rootpw is specified>
authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
cn=admin,dc=example,dc=net
Then you can add a couple of shorcuts: add "SASL_MECH EXTERNAL" into
your /root/.ldaprc file, and "URI ldapi:///" into /etc/ldap/ldap.conf:
host:~# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=example,dc=net
- Dan
More information about the Cyrus-sasl
mailing list