Passwords in salsdb2
Start with:sudo apt-get install sasl2-binthan create a user:
sudo saslpasswd2 -c francesco(script prompts for password and confirm password)
sudo chown openldap /etc/sasldb2Modify cn=config with the following:
dn: cn=config changetype: modify replace: olcSaslAuxprops olcSaslAuxprops: sasldbcreate a map for the user:
dn: cn=config changetype: modify delete: olcAuthzRegexp olcAuthzRegexp: "uid=francesco,cn=digest-md5,cn=auth" "cn=joe,dc=example,dc=org"The entry cn=joe,dc=example,dc=org can be created later, or not created at all, if you simply need a principal to fulfill a ACL rule.
Restart OpenLDAP in order to apply olcAuthzRegexp (required by mine experience on Debian, OpenLDAP-2.4.39).
Test with:
ldapwhoami -U francesco -H ldapi:/// -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: francesco SASL SSF: 128 SASL data security layer installed. dn:cn=joe,dc=example,dc=orgType the password choosed in the saslpasswd2 step. If by chance you are logged is as 'francesco', the -U francesco switch can be omitted.
Passwords in directory
Create the joe user:dn: cn=joe,dc=unimore,dc=it objectClass: inetOrgPerson cn: joe sn: user uid: joe description: Just plain Joe userPassword: joesecretRollback the olcSaslAuxprops if you changed it (if not, this step is not necessary as it is the default):
dn: cn=config changetype: modify replace: olcSaslAuxprops olcSaslAuxprops: slapdAdd the olcAuthzRegexp rules to map the MD5-DIGEST username to a directory entry, and you are ready:
ldapwhoami -U francesco -H ldapi:/// -Y DIGEST-MD5then type the joe's password (joesecret in this example).
- "client response doesn't match what we generated (tried bogus)" means you typed the wrong password.
- "generic failure: unable to canonify user and get auxprops" could be either userPassword is not CLEARTEXT or userPassword is not readable by joe user (because of ACLs).
No comments:
Post a Comment