About DIGEST-MD5 on cyrus-sasl 2.1.23

Nguyen, Quoc Khanh khanhnq at saigontech.edu.vn
Mon Aug 29 06:25:56 EDT 2011



 Hi all, 

 I begin to research about DIGEST-MD5 mechanisms instead of
using plaintext mechanisms. However, its features are very few. I following
this site: http://www.openldap.org/doc/admin24/sasl.html, but the result is
failed... or i don't understand anything about the DIGEST-MD5. 

 Here is
my result: 

 my slapd.conf is: 

 #
 # See slapd.conf(5) for details on
configuration options.
 # This file should NOT be world readable.
 #

include /usr/local/openldap/etc/openldap/schema/core.schema
 include
/usr/local/openldap/etc/openldap/schema/cosine.schema
 include
/usr/local/openldap/etc/openldap/schema/nis.schema
 include
/usr/local/openldap/etc/openldap/schema/inetorgperson.schema
 include
/usr/local/openldap/etc/openldap/schema/openldap.schema

 # Define global
ACLs to disable default read access.

 # Do not enable referrals until
AFTER you have a working directory
 # service AND an understanding of
referrals.
 #referral ldap://root.openldap.org

 loglevel 296

 pidfile
/usr/local/openldap/var/run/slapd.pid
 argsfile
/usr/local/openldap/var/run/slapd.args

 # Misc Security Settings

password-hash {SSHA}

 # Load dynamic backend modules:
 modulepath
/usr/local/openldap/libexec/openldap
 moduleload back_bdb.la
 # moduleload
back_hdb.la
 # moduleload back_ldap.la

 # Sample security restrictions
 #
Require integrity protection (prevent hijacking)
 # Require 112-bit (3DES
or better) encryption for updates
 # Require 63-bit encryption for simple
bind

 # security ssf=1 update_ssf=112 simple_bind=64

 # Sample access
control policy:
 # Root DSE: allow anyone to read it
 # Subschema
(sub)entry DSE: allow anyone to read it
 # Other DSEs:
 # Allow self write
access
 # Allow authenticated users read access
 # Allow anonymous users to
authenticate
 # Directives needed to implement policy:
 # access to
dn.base="" by * read
 # access to dn.base="cn=Subschema" by * read
 #
access to *
 # by self write
 # by users read
 # by anonymous auth
 #
 # if
no access controls are present, the default policy

 # allows anyone and
everyone to read anything but restricts
 # updates to rootdn. (e.g.,
"access to * by * read")
 #
 # rootdn can always read and write
EVERYTHING!


#######################################################################
 #
BDB database definitions

#######################################################################


sasl-regexp
 uid=(.*),cn=abc.com,cn=digest-md5,cn=auth

uid=$1,ou=network,dc=abc,dc=com

 database bdb
 suffix "dc=abc,dc=com"

rootdn "cn=rootldap,dc=abc,dc=com"
 # Cleartext passwords, especially for
the rootdn, should
 # be avoid. See slappasswd(8) and slapd.conf(5) for
details.

 # Use of strong authentication encouraged.
 rootpw
{SSHA}QBEsoednrePQ/Lu5a90Nv4hbsC+BWVkK
 # The database directory MUST exist
prior to running slapd AND
 # should only be accessible by the slapd and
slap tools.
 # Mode 700 recommended.
 directory
/usr/local/openldap/var/openldap-data
 mode 0600

 # Indices to maintain

index objectClass eq
 index uid eq
 index cn,gn,mail eq,sub
 index sn
eq,sub
 index ou eq
 index default eq,sub

 I want to store secret in LDAP
directory, so i use password-hash {SSHA}. 

 I think if i use to ./slapadd
that mean a store secret in SASLdb, but i just want it in LDAP directory,
so I use: 

 ./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f quanly.ldif -W 


./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f nhanvien.ldif -W 

 and it
successfull. 

 When i try to use ldapsearch: 

 ./ldapsearch -Y digest-md5
-U khanhnq 

 SASL/DIGEST-MD5 authentication started
 Please enter your
password:
 ldap_sasl_interactive_bind_s: Invalid credentials (49)

additional info: SASL(-13): user not found: no secret in database

 It said
that no secret in database while I used ./ldapadd to add it... 

 I... I
really don't understand about digest-md5. I'm so stupid... 

 Please help,


 My nhanvien.ldif: 

 dn: cn=Khanh Nguyen,ou=network,dc=abc,dc=com

objectclass: inetOrgPerson
 cn: Khanh Nguyen
 cn: Khanh Nguyen Quoc
 sn:
Khanh
 uid: khanhnq
 userpassword: 123456
 mail: khanhnq at abc.com
 mail:
nqk28703 at yahoo.com
 mail: khanhnq at saigontech.edu.vn
 ou: network

 dn:
cn=Tai Tran,ou=network,dc=abc,dc=com
 objectclass: inetOrgPerson
 cn: Tai
Tran
 cn: Tai Tran Tuan
 sn: Tai
 uid: taitt
 userpassword: 123456
 mail:
taitt at abc.com
 mail: taitt at saigontech.edu.vn
 ou: network

 dn: cn=Nam
Le,ou=network,dc=abc,dc=com
 objectclass: inetOrgPerson
 cn: Nam Le
 cn:
Nam Le Quoc
 sn: Nam
 uid: namlq
 userpassword: 123456
 mail:
namlq at abc.com
 mail: namlq at saigontech.edu.vn
 ou: network
 .... 

 Best
Regards,

-- 
***********************************
 EVERYTHING HAS JUST
BEGUN...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20110829/8b51e5dd/attachment.html 


More information about the Cyrus-sasl mailing list