449 lines
8.3 KiB
HTML
449 lines
8.3 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>SASL Configuration: Digest-MD5</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="LDAP Linux HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Additional Information and Features"
|
|
HREF="additional.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Authentication using LDAP"
|
|
HREF="authentication.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Graphical LDAP tools"
|
|
HREF="graphicaltools.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>LDAP Linux HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="authentication.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 6. Additional Information and Features</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="graphicaltools.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="sasl"
|
|
></A
|
|
>6.3. SASL Configuration: Digest-MD5</H1
|
|
><P
|
|
>I've got LDAP-SASL authentication running using the DIGEST-MD5 mechanism. To accomplish that, I've
|
|
followed strictly the steps listed bellow:</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>Downloaded SleepyCat 4.2.52, compiling and building manually. After downloading,
|
|
I've just followed the instructions listed on the file docs/index.html under the directory where I've
|
|
unpacked the .tar.gz bundle.</P
|
|
><P
|
|
>After unpacking you can run the suggested:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#../dist/configure
|
|
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make
|
|
root@rdnt03:/usr/local/BerkeleyDB.4.2/build_unix#make install
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Downloaded Cyrus SASL 2.1.17, unpacking and following the instructions listed on the
|
|
document doc/install.html, under the directory where I've unpacked the .tar.gz file. Here there's a point of
|
|
attention, you need to run the configure script using some env parameters:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:/usr/local/cyrus-sasl-2.1.17#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
|
|
LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>The CPPFLAGS and LDFLAGS environment parameters should point to the respective include and lib directories
|
|
where Berkeley BDB was installed.</P
|
|
><P
|
|
>After that you can run the suggested:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make
|
|
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#make install
|
|
root@rdnt03:/usr/local/cyrus-sasl-2.1.17#ln -s /usr/local/lib/sasl2 /usr/lib/sasl2</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Finally, I've installed OpenLDAP 2.2.5 using the same directions listed on this document, just running
|
|
the configure script the same way as SASL's configure:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:/usr/local/openldap-2.2.5#env CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
|
|
LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" ./configure</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>After that, I've run the suggested:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:/usr/local/openldap-2.2.5#make depend
|
|
root@rdnt03:/usr/local/openldap-2.2.5#make
|
|
root@rdnt03:/usr/local/openldap-2.2.5#make install</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Next, I've created the sasl user database:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:~# saslpasswd2 -c admin</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>You'll be prompted for a password. Remember that the username should not be a DN (distinguished name).
|
|
Also remember to use the same password as your admin entry on the directory tree.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Now, you should set the sasl-regexp directive in the <EM
|
|
>slapd.conf</EM
|
|
> file before
|
|
starting the slapd daemon and testing the authentication. My <EM
|
|
>slapd.conf</EM
|
|
> file resides at
|
|
/usr/local/etc/openldap:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>This parameter is in the format of:</P
|
|
><P
|
|
>uid=<username>,cn=<realm>,cn=<mech>,cn=auth</P
|
|
><P
|
|
>The username is taken from sasl and inserted into the ldap search string in the place of $1.Your realm is supposed to be your FQDN (fully qualified domain name), but in some cases it isn't, like mine. To find out what your realm is do:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:~# sasldblistusers2
|
|
admin@rdnt03: userPassword
|
|
admin@rdnt03: cmusaslsecretOTP</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>In my case, <EM
|
|
>rdnt03</EM
|
|
> is indicated as the realm. If it is your FQDN you shouldn't have any problems. I use the following LDIF file:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>dn: o=Ever
|
|
o: Ever
|
|
description: Organization Root
|
|
objectClass: top
|
|
objectClass: organization
|
|
|
|
dn: ou=Staff, o=Ever
|
|
ou: Staff
|
|
description: These are privileged users that can interact with Organization products
|
|
objectClass: top
|
|
objectClass: organizationalUnit
|
|
|
|
dn: ou=People, o=Ever
|
|
ou: People
|
|
objectClass: top
|
|
objectClass: organizationalUnit
|
|
|
|
dn: uid=admin, ou=Staff, o=Ever
|
|
uid: admin
|
|
cn: LDAP Adminstrator
|
|
sn: admin
|
|
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
|
|
objectClass: Top
|
|
objectClass: Person
|
|
objectClass: Organizationalperson
|
|
objectClass: Inetorgperson
|
|
|
|
dn: uid=admin,ou=People,o=Ever
|
|
objectClass: top
|
|
objectClass: person
|
|
objectClass: organizationalPerson
|
|
objectClass: inetOrgPerson
|
|
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
|
|
displayName: admin
|
|
mail: admin@eversystems.com.br
|
|
uid: admin
|
|
cn: Administrator
|
|
sn: admin
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Add the entries to your LDAP directory using the following command:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>slapadd -c -l Ever.ldif -f slapd.conf -v -d 256</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Now, start the <EM
|
|
>slapd</EM
|
|
> daemon and run a query using the <EM
|
|
>ldapsearch</EM
|
|
> command:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
>root@rdnt03:~# ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)'
|
|
SASL/DIGEST-MD5 authentication started
|
|
Please enter your password:
|
|
SASL username: admin@rdnt03
|
|
SASL SSF: 128
|
|
SASL installing layers
|
|
...
|
|
Entries
|
|
...</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></UL
|
|
><P
|
|
>That's it ! If you prefer to use SASL with Kerberos V or GSSAPI, there's a useful link at
|
|
<A
|
|
HREF="http://www.openldap.org/doc/admin22/sasl.html"
|
|
TARGET="_top"
|
|
>http://www.openldap.org/doc/admin22/sasl.html</A
|
|
>. This link assumes you've already managed to install and configure the SASL library.
|
|
The mailing lists will help you get going with this matter: <A
|
|
HREF="http://asg.web.cmu.edu/sasl/index.html#mailinglists"
|
|
TARGET="_top"
|
|
>http://asg.web.cmu.edu/sasl/index.html#mailinglists</A
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="authentication.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="graphicaltools.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Authentication using LDAP</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="additional.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Graphical LDAP tools</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |