Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




6.3. SASL Configuration: Digest-MD5

I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've followed strictly the steps listed bellow:

  • Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading, I've just followed the instructions listed on the file docs/index.html under the directory where I've unpacked the .tar.gz bundle.

    After unpacking you can run the suggested:

    root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make install
  • Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of attention, you need to run the configure script using some env parameters:

    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
    LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure

    The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories where Berkeley BDB was installed.

    After that you can run the suggested:

    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make install
    root@rdnt03:/usr/local/cyrus-sasl-2.1.17#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
  • Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running the configure script the same way as SASL's configure:

    root@rdnt03:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
    LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure

    After that, I've run the suggested:

    root@rdnt03:/usr/local/openldap-2.2.5#make depend
    root@rdnt03:/usr/local/openldap-2.2.5#make install
  • Next, I've created the sasl user database:

    root@rdnt03:~# saslpasswd2 -c admin

    You'll be prompted for a password. Remember that the username should not be a DN (distinguished name). Also remember to use the same password as your admin entry on the directory tree.

  • Now, you should set the sasl-regexp directive in the slapd.conf file before starting the slapd daemon and testing the authentication. My slapd.conf file resides at /usr/local/etc/openldap:

    sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever

    This parameter is in the format of:


    The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:

    root@rdnt03:~# sasldblistusers2
    admin@rdnt03: userPassword
    admin@rdnt03: cmusaslsecretOTP

    In my case, rdnt03 is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:

    dn: o=Ever
    o: Ever
    description: Organization Root
    objectClass: top
    objectClass: organization
    dn: ou=Staff, o=Ever
    ou: Staff
    description: These are privileged users that can interact with Organization products
    objectClass: top
    objectClass: organizationalUnit
    dn: ou=People, o=Ever
    ou: People
    objectClass: top
    objectClass: organizationalUnit
    dn: uid=admin, ou=Staff, o=Ever
    uid: admin
    cn: LDAP Adminstrator
    sn: admin
    userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
    objectClass: Top
    objectClass: Person
    objectClass: Organizationalperson
    objectClass: Inetorgperson
    dn: uid=admin,ou=People,o=Ever
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
    displayName: admin
    mail: [email protected]
    uid: admin
    cn: Administrator
    sn: admin

    Add the entries to your LDAP directory using the following command:

    slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
  • Now, start the slapd daemon and run a query using the ldapsearch command:

    root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
    SASL/DIGEST-MD5 authentication started
    Please enter your password:
    SASL username: admin@rdnt03
    SASL SSF: 128
    SASL installing layers

That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at This link assumes you've already managed to install and configure the SASL library. The mailing lists will help you get going with this matter:

  Published under the terms of the GNU General Public License Design by Interspire