Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

LDAP Linux HOWTO
PrevChapter 6. Additional Information and FeaturesNext

6.3. SASL Configuration: Digest-MD5

I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've followed strictly the steps listed bellow:

  • Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading, I've just followed the instructions listed on the file docs/index.html under the directory where I've unpacked the .tar.gz bundle.

    After unpacking you can run the suggested:

    root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#../dist/configure
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make install

  • Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of attention, you need to run the configure script using some env parameters:

    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure

    The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories where Berkeley BDB was installed.

    After that you can run the suggested:

    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make install
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

  • Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running the configure script the same way as SASL's configure:

    root@rdnt03:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure

    After that, I've run the suggested:

    root@rdnt03:/usr/local/openldap-2.2.5#make depend
root@rdnt03:/usr/local/openldap-2.2.5#make
root@rdnt03:/usr/local/openldap-2.2.5#make install

  • Next, I've created the sasl user database:

    root@rdnt03:~# saslpasswd2 -c admin

    You'll be prompted for a password. Remember that the username should not be a DN (distinguished name). Also remember to use the same password as your admin entry on the directory tree.

  • Now, you should set the sasl-regexp directive in the slapd.conf file before starting the slapd daemon and testing the authentication. My slapd.conf file resides at /usr/local/etc/openldap:

    sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever

    This parameter is in the format of:

    uid=<username>,cn=<realm>,cn=<mech>,cn=auth

    The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:

    root@rdnt03:~# sasldblistusers2
admin@rdnt03: userPassword
admin@rdnt03: cmusaslsecretOTP

    In my case, rdnt03 is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file: 

    dn: o=Ever
o: Ever
description: Organization Root
objectClass: top
objectClass: organization

dn: ou=Staff, o=Ever
ou: Staff
description: These are privileged users that can interact with Organization products
objectClass: top
objectClass: organizationalUnit

dn: ou=People, o=Ever
ou: People
objectClass: top
objectClass: organizationalUnit

dn: uid=admin, ou=Staff, o=Ever
uid: admin
cn: LDAP Adminstrator
sn: admin
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
objectClass: Top
objectClass: Person
objectClass: Organizationalperson
objectClass: Inetorgperson

dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
displayName: admin
mail: [email protected]
uid: admin
cn: Administrator
sn: admin

    Add the entries to your LDAP directory using the following command:

    slapadd -c -l Ever.ldif -f slapd.conf -v -d 256

  • Now, start the slapd daemon and run a query using the ldapsearch command:

    root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: admin@rdnt03
SASL SSF: 128
SASL installing layers
...
Entries
...

That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at https://www.openldap.org/doc/admin22/sasl.html. This link assumes you've already managed to install and configure the SASL library. The mailing lists will help you get going with this matter: https://asg.web.cmu.edu/sasl/index.html#mailinglists

PrevHomeNext
Authentication using LDAPUpGraphical LDAP tools

  
 
  Published under the terms of the GNU General Public License Design by Interspire