About DIGEST-MD5 on cyrus-sasl 2.1.23

Nguyen, Quoc Khanh khanhnq at saigontech.edu.vn
Tue Aug 30 02:47:15 EDT 2011


Thanks...

At the present time, my system is authenticated by SASL PLAIN, LOGIN with
STARTTLS. It worked probably. You have advised me to use DIGEST-MD5, and
also I have read some documents and saw that the DIGEST-MD5 is better
recommended.
So... do you think using authenticated by SASL PLAIN, LOGIN with STARTTLS
are more security? Please give me your opinion.

Best Regards,
-- 
***********************************
    EVERYTHING HAS JUST BEGUN...

On Mon, 29 Aug 2011 09:53:26 -0500, Dan White <dwhite at olp.net> wrote:
> On 29/08/11 17:25 +0700, Nguyen, Quoc Khanh wrote:
>>Hi all,
>>
>>I begin to research about DIGEST-MD5 mechanisms instead of using
plaintext
>>mechanisms. However, its features are very few. I following this site:
>>http://www.openldap.org/doc/admin24/sasl.html, but the result is
failed...
>>or i don't understand anything about the DIGEST-MD5.
>>
>>Here is my result:
>>
>> my slapd.conf is:
>   
> 
>>password-hash {SSHA}
> 
> This password-hash is incompatible with DIGEST-MD5. When performing
> password changes via a password extended operation (ldappasswd), the
> password will be hashed. DIGEST-MD5 will need access to the plaintext
> password.
> 
>># security ssf=1 update_ssf=112 simple_bind=64
>>
>># Sample access control policy:
>># Root DSE: allow anyone to read it
>># Subschema (sub)entry DSE: allow anyone to read it
>># Other DSEs:
>># Allow self write access
>># Allow authenticated users read access
>># Allow anonymous users to authenticate
>># Directives needed to implement policy:
>># access to dn.base="" by * read
>># access to dn.base="cn=Subschema" by * read
>># access to *
>># by self write
>># by users read
>># by anonymous auth
>>#
>># if no access controls are present, the default policy
>>
>># allows anyone and everyone to read anything but restricts
>># updates to rootdn. (e.g., "access to * by * read")
>>#
>># rootdn can always read and write EVERYTHING!
> 
> My mailer may have messed up the formating of your access statements.
> 
> You'll need at least 'anonymous auth' access to the 'userPassword'
> attribute, and probably for 'entry' as well.
> 
> This might be sufficient:
> 
> access to *
>      by self write
>      by users read
>      by anonymous auth
> 
> And you'll need permissive access to supportedSASLMechanisms:
> 
> access to dn.base="" by * read
> 
> increase your logging, if necessary, to troubleshoot permissions
problems.
> 
>>#######################################################################
>># BDB database definitions
>>
>>#######################################################################
>>
>>
>>sasl-regexp
>> uid=(.*),cn=abc.com,cn=digest-md5,cn=auth
>>
>>uid=$1,ou=network,dc=abc,dc=com
>>
>> database bdb
>> suffix "dc=abc,dc=com"
>>
>>rootdn "cn=rootldap,dc=abc,dc=com"
> 
> Check slapd.conf(5) for your version of slapd. sasl-regexp may need to
be
> authz-regexp.
> 
> Again, check your slapd logging output to trouble shoot authz-regexp
> config problems.
> 
>># Cleartext passwords, especially for the rootdn, should
>># be avoid. See slappasswd(8) and slapd.conf(5) for details.
>>
>># Use of strong authentication encouraged.
> <cut>
>># The database directory MUST exist prior to running slapd AND
>># should only be accessible by the slapd and slap tools.
>># Mode 700 recommended.
>>directory /usr/local/openldap/var/openldap-data
>>mode 0600
>>
>># Indices to maintain
>>
>>index objectClass eq
>> index uid eq
>> index cn,gn,mail eq,sub
>> index sn
>>eq,sub
>> index ou eq
>> index default eq,sub
>>
>>I want to store secret in LDAP directory, so i use password-hash {SSHA}.
>>
>>I think if i use to ./slapadd that mean a store secret in SASLdb, but i
>>just want it in LDAP directory, so I use:
> 
> slapadd will not store the secret in sasldb.
> 
>> ./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f quanly.ldif -W
>>
>>
>>./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f nhanvien.ldif -W
>>
>>and it successfull.
>>
>>When i try to use ldapsearch:
>>
>>./ldapsearch -Y digest-md5 -U khanhnq
>>
>>SASL/DIGEST-MD5 authentication started
>>Please enter your password:
>>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>
>>additional info: SASL(-13): user not found: no secret in database
>>
>>It said that no secret in database while I used ./ldapadd to add it...
> 
>>My nhanvien.ldif:
>>
>>dn: cn=Khanh Nguyen,ou=network,dc=abc,dc=com
>>objectclass: inetOrgPerson
>>cn: Khanh Nguyen
>>cn: Khanh Nguyen Quoc
>>sn: Khanh
>>uid: khanhnq
>>userpassword: 123456
>>mail: khanhnq at abc.com
>>mail: nqk28703 at yahoo.com
>>mail: khanhnq at saigontech.edu.vn
>>ou: network
> 
> Since you're adding your passwords this way, I believe they are getting
> stored in cleartext, which should work with DISGEST-MD5. However, the
next
> time you change the password via ldappasswd, you will lose the ability
to
> authenticate (with DIGEST-MD5).
> 
> Consider changing to:
> 
> password-hash {CLEARTEXT}
> 
> or find another way to authentiConsiderConsidercate which does not
require plaintext
> access to the password, such as SASL PLAIN with starttls.


More information about the Cyrus-sasl mailing list