On 29/08/11 17:25 +0700, Nguyen, Quoc Khanh wrote:
Hi all,
I begin to research about DIGEST-MD5 mechanisms instead of using plaintext
mechanisms. However, its features are very few. I following this site:
http://www.openldap.org/doc/admin24/sasl.html, but the result is failed...
or i don't understand anything about the DIGEST-MD5.
Here is my result:
my slapd.conf is:
password-hash {SSHA}
This password-hash is incompatible with DIGEST-MD5. When performing
password changes via a password extended operation (ldappasswd), the
password will be hashed. DIGEST-MD5 will need access to the plaintext
password.
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
My mailer may have messed up the formating of your access statements.
You'll need at least 'anonymous auth' access to the 'userPassword'
attribute, and probably for 'entry' as well.
This might be sufficient:
access to *
by self write
by users read
by anonymous auth
And you'll need permissive access to supportedSASLMechanisms:
access to dn.base="" by * read
increase your logging, if necessary, to troubleshoot permissions problems.
#######################################################################
# BDB database definitions
#######################################################################
sasl-regexp
uid=(.*),cn=abc.com,cn=digest-md5,cn=auth
uid=$1,ou=network,dc=abc,dc=com
database bdb
suffix "dc=abc,dc=com"
rootdn "cn=rootldap,dc=abc,dc=com"
Check slapd.conf(5) for your version of slapd. sasl-regexp may need to be
authz-regexp.
Again, check your slapd logging output to trouble shoot authz-regexp
config problems.
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
<cut>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
mode 0600
# Indices to maintain
index objectClass eq
index uid eq
index cn,gn,mail eq,sub
index sn
eq,sub
index ou eq
index default eq,sub
I want to store secret in LDAP directory, so i use password-hash {SSHA}.
I think if i use to ./slapadd that mean a store secret in SASLdb, but i
just want it in LDAP directory, so I use:
slapadd will not store the secret in sasldb.
./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f quanly.ldif -W
./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f nhanvien.ldif -W
and it successfull.
When i try to use ldapsearch:
./ldapsearch -Y digest-md5 -U khanhnq
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
It said that no secret in database while I used ./ldapadd to add it...
My nhanvien.ldif:
dn: cn=Khanh Nguyen,ou=network,dc=abc,dc=com
objectclass: inetOrgPerson
cn: Khanh Nguyen
cn: Khanh Nguyen Quoc
sn: Khanh
uid: khanhnq
userpassword: 123456
mail: khanhnq@xxxxxxx
mail: nqk28703@xxxxxxxxx
mail: khanhnq@xxxxxxxxxxxxxxxxx
ou: network
Since you're adding your passwords this way, I believe they are getting
stored in cleartext, which should work with DISGEST-MD5. However, the next
time you change the password via ldappasswd, you will lose the ability to
authenticate (with DIGEST-MD5).
Consider changing to:
password-hash {CLEARTEXT}
or find another way to authenticate which does not require plaintext
access to the password, such as SASL PLAIN with starttls.
--
Dan White
