SASL and LDAP problem

Dan White dwhite at olp.net
Thu Jul 23 11:14:07 EDT 2009


Gildas Bayard wrote:
> Hello,
>
> I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
> man slapd.conf encourages me into using SASL auth for rootdn instead 
> of setting the rootpw parameter in slapd.conf.
>
> So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
> admin at coruscant: userPassword which is what is expected.
> But then I see that the password there is in plain text so I don't 
> really get the advantage of using sasldb then. So I decide to use 
> saslauthd instead (which in turn will use pam by default).
>
> My problem is that I could not find how to tell openldap to use 
> saslauthd instead of sasldb.
>
> I tried to add a /usr/lib/sasl2/slapd.conf file with this inside 
> (world readable):
> pwcheck_method: saslauthd
>
> But it seems that this file is not read. I see that ubuntu created a 
> /etc/ldap/sasl2 directory for me but how could I know if sasl is 
> looking in it? How does sasl know it has to look for a slapd.conf file 
> and not openldap.conf or whatever.conf? Is it openldap which specifies 
> the conf file to use or is it libsasl2?
>
> Could someone shed some light on this subject for me?

That's controlled by the cyrus sasl slapd.conf config file, which should 
be located in /usr/lib/sasl2/slapd.conf (create it if it doesn't exist). 
Try the following:

pwcheck_method: saslauthd

To me, it makes a lot of sense to use sasl EXTERNAL for admin access. 
For instance, in your /etc/ldap/slapd.conf:

rootdn          "cn=admin,dc=example,dc=net"
<No rootpw is specified>

authz-regexp
  "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
  cn=admin,dc=example,dc=net


Then you can add a couple of shorcuts: add "SASL_MECH EXTERNAL" into 
your /root/.ldaprc file, and "URI    ldapi:///" into /etc/ldap/ldap.conf:

host:~# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=example,dc=net

- Dan


More information about the Cyrus-sasl mailing list