SASL and LDAP problem

Patrick Ben Koetter p at state-of-mind.de
Fri Jul 24 01:04:19 EDT 2009


* Gildas Bayard <gildas.bayard at hds.utc.fr>:
> I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
> man slapd.conf encourages me into using SASL auth for rootdn instead of  
> setting the rootpw parameter in slapd.conf.
>
> So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
> admin at coruscant: userPassword which is what is expected.
> But then I see that the password there is in plain text so I don't  
> really get the advantage of using sasldb then. So I decide to use  
> saslauthd instead (which in turn will use pam by default).
>
> My problem is that I could not find how to tell openldap to use  
> saslauthd instead of sasldb.
>
> I tried to add a /usr/lib/sasl2/slapd.conf file with this inside (world  
> readable):
> pwcheck_method: saslauthd
>
> But it seems that this file is not read. I see that ubuntu created a  
> /etc/ldap/sasl2 directory for me but how could I know if sasl is looking  
> in it? How does sasl know it has to look for a slapd.conf file and not  

It does. OpenLDAP on Ubuntu looks for the slapd SASL config in
/etc/ldap/sasl2.

> openldap.conf or whatever.conf? Is it openldap which specifies the conf  

It searches for slapd.conf, because slapd is the $application_name OpenLDAP
sends to libsasl, when slapd is started. The application_name and ".conf" make
up the configuration file name if libsasl is to search for external
configuration instructions.

One could send configuration instructions upon libsasl initialization, but
that is not the case in OpenLDAP.

> file to use or is it libsasl2?
>
> Could someone shed some light on this subject for me?

Put this in /etc/ldap/sasl2/slapd.conf:

pwcheck_method: slapd

It will make OpenLDAP use itself as user:password database.

When you try to authenticate OpenLDAP search for your username in cn=auth.
That's not where your user info is stored.

Edit /etc/ldap/slapd.conf and configure a mapping from the SASL cn=auth branch
to your user branch e.g. like this:

# AUTHORIZATION
# Grant authorization "to" an entry (and not "from" entries) policy
authz-policy to

# SASL AUTHENTICATION MAPPING
authz-regexp
        uid=(.*),cn=.*,cn=auth
        "ldap:///o=Example,dc=com??sub?(|(cn=$1)(uniqueIdentifier=$1))"


For more details read:
<http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities>

HTH,

p at rick



-- 
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list