About DIGEST-MD5 on cyrus-sasl 2.1.23

Dan White dwhite at olp.net
Mon Aug 29 10:53:26 EDT 2011 

On 29/08/11 17:25 +0700, Nguyen, Quoc Khanh wrote:
>Hi all,
>
>I begin to research about DIGEST-MD5 mechanisms instead of using plaintext
>mechanisms. However, its features are very few. I following this site:
>http://www.openldap.org/doc/admin24/sasl.html, but the result is failed...
>or i don't understand anything about the DIGEST-MD5.
>
>Here is my result:
>
> my slapd.conf is:
  

>password-hash {SSHA}

This password-hash is incompatible with DIGEST-MD5. When performing
password changes via a password extended operation (ldappasswd), the
password will be hashed. DIGEST-MD5 will need access to the plaintext
password.

># security ssf=1 update_ssf=112 simple_bind=64
>
># Sample access control policy:
># Root DSE: allow anyone to read it
># Subschema (sub)entry DSE: allow anyone to read it
># Other DSEs:
># Allow self write access
># Allow authenticated users read access
># Allow anonymous users to authenticate
># Directives needed to implement policy:
># access to dn.base="" by * read
># access to dn.base="cn=Subschema" by * read
># access to *
># by self write
># by users read
># by anonymous auth
>#
># if no access controls are present, the default policy
>
># allows anyone and everyone to read anything but restricts
># updates to rootdn. (e.g., "access to * by * read")
>#
># rootdn can always read and write EVERYTHING!

My mailer may have messed up the formating of your access statements.

You'll need at least 'anonymous auth' access to the 'userPassword'
attribute, and probably for 'entry' as well.

This might be sufficient:

access to *
     by self write
     by users read
     by anonymous auth

And you'll need permissive access to supportedSASLMechanisms:

access to dn.base="" by * read

increase your logging, if necessary, to troubleshoot permissions problems.

>#######################################################################
># BDB database definitions
>
>#######################################################################
>
>
>sasl-regexp
> uid=(.*),cn=abc.com,cn=digest-md5,cn=auth
>
>uid=$1,ou=network,dc=abc,dc=com
>
> database bdb
> suffix "dc=abc,dc=com"
>
>rootdn "cn=rootldap,dc=abc,dc=com"

Check slapd.conf(5) for your version of slapd. sasl-regexp may need to be
authz-regexp.

Again, check your slapd logging output to trouble shoot authz-regexp
config problems.

># Cleartext passwords, especially for the rootdn, should
># be avoid. See slappasswd(8) and slapd.conf(5) for details.
>
># Use of strong authentication encouraged.
<cut>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd and slap tools.
># Mode 700 recommended.
>directory /usr/local/openldap/var/openldap-data
>mode 0600
>
># Indices to maintain
>
>index objectClass eq
> index uid eq
> index cn,gn,mail eq,sub
> index sn
>eq,sub
> index ou eq
> index default eq,sub
>
>I want to store secret in LDAP directory, so i use password-hash {SSHA}.
>
>I think if i use to ./slapadd that mean a store secret in SASLdb, but i
>just want it in LDAP directory, so I use:

slapadd will not store the secret in sasldb.

> ./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f quanly.ldif -W
>
>
>./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f nhanvien.ldif -W
>
>and it successfull.
>
>When i try to use ldapsearch:
>
>./ldapsearch -Y digest-md5 -U khanhnq
>
>SASL/DIGEST-MD5 authentication started
>Please enter your password:
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
>additional info: SASL(-13): user not found: no secret in database
>
>It said that no secret in database while I used ./ldapadd to add it...

>My nhanvien.ldif:
>
>dn: cn=Khanh Nguyen,ou=network,dc=abc,dc=com
>objectclass: inetOrgPerson
>cn: Khanh Nguyen
>cn: Khanh Nguyen Quoc
>sn: Khanh
>uid: khanhnq
>userpassword: 123456
>mail: khanhnq at abc.com
>mail: nqk28703 at yahoo.com
>mail: khanhnq at saigontech.edu.vn
>ou: network

Since you're adding your passwords this way, I believe they are getting
stored in cleartext, which should work with DISGEST-MD5. However, the next
time you change the password via ldappasswd, you will lose the ability to
authenticate (with DIGEST-MD5).

Consider changing to:

password-hash {CLEARTEXT}

or find another way to authenticate which does not require plaintext
access to the password, such as SASL PLAIN with starttls.

-- 
Dan White

More information about the Cyrus-sasl mailing list