Gildas Bayard wrote:
Hello,
I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
man slapd.conf encourages me into using SASL auth for rootdn instead
of setting the rootpw parameter in slapd.conf.
So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
admin@coruscant: userPassword which is what is expected.
But then I see that the password there is in plain text so I don't
really get the advantage of using sasldb then. So I decide to use
saslauthd instead (which in turn will use pam by default).
My problem is that I could not find how to tell openldap to use
saslauthd instead of sasldb.
I tried to add a /usr/lib/sasl2/slapd.conf file with this inside
(world readable):
pwcheck_method: saslauthd
But it seems that this file is not read. I see that ubuntu created a
/etc/ldap/sasl2 directory for me but how could I know if sasl is
looking in it? How does sasl know it has to look for a slapd.conf file
and not openldap.conf or whatever.conf? Is it openldap which specifies
the conf file to use or is it libsasl2?
Could someone shed some light on this subject for me?
That's controlled by the cyrus sasl slapd.conf config file, which should
be located in /usr/lib/sasl2/slapd.conf (create it if it doesn't exist).
Try the following:
pwcheck_method: saslauthd
To me, it makes a lot of sense to use sasl EXTERNAL for admin access.
For instance, in your /etc/ldap/slapd.conf:
rootdn "cn=admin,dc=example,dc=net"
<No rootpw is specified>
authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
cn=admin,dc=example,dc=net
Then you can add a couple of shorcuts: add "SASL_MECH EXTERNAL" into
your /root/.ldaprc file, and "URI ldapi:///" into /etc/ldap/ldap.conf:
host:~# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=example,dc=net
- Dan
