# OpenLDAP and SASL ?

## crazyzed

I have just setup a clean Linux installation on a test-server, and I have followed a guide on how to setup openldap.

But I soon get stuck, giving the command

 *Quote:*   

> ldapsearch -D "cn=root,dc=tuxnet,dc=local" -W

 

brings me

 *Quote:*   

> Enter LDAP Password:
> 
> SASL/DIGEST-MD5 authentication started
> 
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
> ...

 

I have then tried passing the -x command (for simple authenication)

 *Quote:*   

> ldapsearch -x -D "cn=root,dc=tuxnet,dc=local" -W

 

wich seems to work better

 *Quote:*   

> Enter LDAP Password:
> 
> # extended LDIF
> 
> #
> ...

 

(I have not entered any information into the directory yet)

I would like to use Webmin for putting in users and groups into the directory but Webmin gives me an error

 *Quote:*   

> Failed to save group : Failed to add group to LDAP database : modifications require authentication

 

I guess this also has something to do with SASL not being configured properly?

First of all, is it ok to use a .local domain in openldap?

And how can I turn of SASL (for now) and only use simple authentication?

----------

## Jeremy_Z

I do not know about Webmin, but you should be able to use simple authentication.

Perhaps you can try JXplorer which is a good ldap client that works with simple authentication and you shouldn't have any issue tunneling through SSH if you do not want your LDAP open to the zorld.

----------

## crazyzed

Thanks for your reply, I had a look at JXplorer and a few other and they look good and work good for browsing but I cannot make changes from any of the GUI's. Some authentication problem!! Anyway I'm still struggling trying to get SASL DIGEST-MD5 running.

I've had a look at the guide at http://www.bind9.net/manual/openldap/2.2/sasl.html

Since I want my secrets stored in the LDAP directory and not in sasldb I added

 *Quote:*   

> password-hash   {CLEARTEXT}

 

to slapd.conf as the guide says.

Now it comes to setting the sasl-regexp directives, and I get lost here  :Wink: 

I want to be able to login using SASL with my 'rootdn' created in slapd.conf

 *Quote:*   

> rootdn          "cn=Manager,dc=tuxnet,dc=local"

 

and 'Manager' is not setup anywhere else in the LDAP directory, so how do I configure sasl-regexp

 *Quote:*   

> sasl-regexp
> 
>         uid=(.*),cn=.*,cn=auth
> 
>         uid=$1,ou=person,dc=tuxnet,dc=local
> ...

 

I have tried to remove 'ou=person' since Manager is not located in the person ou, but it makes no difference.

(I need to have saslauthd running right?)

----------

## Jeremy_Z

I never bothered using SASL ut if i understood well :

1. you need to add the passwords in sasl with :

```

saslpasswd2 -c Manager

```

2. you need to configure sasl-regexp in slapd.conf to perform the mapping, note that the example given

```

  sasl-regexp

          uid=(.*),cn=.*,cn=auth

          uid=$1,ou=person,dc=example,dc=com

```

is for users with dn like : uid=<xxx>,ou=person,dc=example,dc=com

therefore won't work for manager (cn=Manager,dc=tuxnet,dc=local).

You have to do :

```

  sasl-regexp

          uid=Manager,cn=.*,cn=auth

          cn=Manager,dc=tuxnet,dc=local

```

3. As a side note, i would not recommend storing passwords in LDAP as clear text :

```

password-hash {CLEARTEXT}

```

use SSHA for example.

----------

## crazyzed

Thanks man, I'm finally starting to get things to work now  :Smile: 

----------

## ebbeyes

Im having problems with sasl authenticating me automaticaly

 *Quote:*   

> 
> 
> ldapbox openldap # ldapsearch -D "uid=ebb,ou=People,dc=toplevel,dc=org"
> 
> SASL/DIGEST-MD5 authentication started
> ...

 

but if I try 

 *Quote:*   

> 
> 
> ldapbox openldap # ldapsearch -I -D "uid=ebb,ou=People,dc=toplevel,dc=org"
> 
> SASL/DIGEST-MD5 authentication started
> ...

 

I get a full listing of my ldap no problems

this is the relevant part of my slapd.conf

 *Quote:*   

> 
> 
> password-hash   {CLEARTEXT}
> 
> sasl-regexp
> ...

 

here is what is listed in sasldblistusers2

 *Quote:*   

> 
> 
> ldapbox openldap # sasldblistusers2
> 
> ebb@ldapbox: userPassword
> ...

 

and the entry in ldap

 *Quote:*   

> 
> 
> # ebb, People, toplevel.org
> 
> dn: uid=ebb,ou=People,dc=toplevel,dc=org
> ...

 

----------

## prymitive

If You want have ldap auth with sasl but with getting passwords from ldap not sasldb You need to add a file:

/etc/sasl2/slapd.conf:

pwcheck_method: auxprop

auxprop_plugin: slapd

auto_transition: yes

ldapdb_uri: ldap://your.ldap.server

+ You need to store passwords in ldap with cleartext

----------

