6.3. SASL Configuration: Digest-MD5
I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've
followed strictly the steps listed bellow:
Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading,
I've just followed the instructions listed on the file docs/index.html under the directory where I've
unpacked the .tar.gz bundle.
After unpacking you can run the suggested:
Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the
document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of
attention, you need to run the configure script using some env parameters:
[email protected]:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories
where Berkeley BDB was installed.
After that you can run the suggested:
Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running
the configure script the same way as SASL's configure:
[email protected]:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
After that, I've run the suggested:
Next, I've created the sasl user database:
You'll be prompted for a password. Remember that the username should not be a DN (distinguished name).
Also remember to use the same password as your admin entry on the directory tree.
Now, you should set the sasl-regexp directive in the
slapd.conf file before
starting the slapd daemon and testing the authentication. My slapd.conf file resides at
sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever
This parameter is in the format of:
The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:
In my case,
rdnt03 is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:
description: Organization Root
dn: ou=Staff, o=Ever
description: These are privileged users that can interact with Organization products
dn: ou=People, o=Ever
dn: uid=admin, ou=Staff, o=Ever
cn: LDAP Adminstrator
mail: [email protected]
Add the entries to your LDAP directory using the following command:
slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
Now, start the
slapd daemon and run a query using the ldapsearch command:
That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
https://www.openldap.org/doc/admin22/sasl.html. This link assumes you've already managed to install and configure the SASL library.
The mailing lists will help you get going with this matter: https://asg.web.cmu.edu/sasl/index.html#mailinglists