[Wylug-help] slapd authentication (Ubuntu Breezy) ... SASL Probs?

Dave Fisher wylug-help at davefisher.co.uk
Sat May 20 18:09:26 BST 2006 

On Sat, May 20, 2006 at 05:06:48PM +0100, Dave Fisher wrote:
> But I can't seem to authenticate in any way, i.e. via simple authentication or
> via SASL.  So I can't enter/change any basic test data to practice on.

To answer my own query, it appears that there is a problem with the
default debian config.

I am not certain of the ultimate cause, but I have found a _temporary_
'solution'.

Almost every OpenLDAP tutorial and howto I read, instructs the novice to
set two parameters in slapd.conf:

  rootdn
  rootpw

No such parameters exist in a default Debian/Ubuntu install, but
simple authentication 'works' if you set them correctly in a
Debian/Ubuntu slapd.conf.

Initial research, which may yet be confirmed true, suggests that the
absence of these parameters is deliberate ... implying that Debian had
some 'better' way of ensuring security (SASL based ?).

rootdn is pretty straight-forward (or as straight-forward as anything to
do with LDAP ever gets!), e.g.

  rootdn cn=admin,dc=localhost,dc=localdomain

The value for rootpw is basically just a hash of a password created with
usr/sbin/slappasswd, e.g.

  rootpw {SSHA}px5ZLSPdSpcPQEXdTZbvwFlcw6tG3GnW

In other words, you just copy the hash generated by slappasswd on the
command line into this space in slapd.conf. N.B. the example hash above
is not for real.

If I'm right in assuming that Debian actually has some cunning SASL
based-method, it may still be the case that there is a bug in the the
default config, e.g.

  1. No obvious documentation of the actual method used

  and/or 

  2. The code which is supposed to generate a hashed password for SASL
  authentication is broken.

  and/or 

  ....


Anyway, I posted this because it might help other people get started.  

I certainly won't be using this simple authentication solution on a
public server and I would not recommend that anyone else should
consider it for public use either.

It merely gives me the opportunity to find out more, since I can now
actually add, delete and modify data in a test database.

If any Debian guru could tell us how things are actually supposed to
work, I would be eternally grateful for the time it could save me.

Dave

More information about the Wylug-help mailing list