Hi all,
I begin to research about DIGEST-MD5 mechanisms instead of using plaintext mechanisms. However, its features are very few. I following this site: http://www.openldap.org/doc/admin24/sasl.html, but the result is failed... or i don't understand anything about the DIGEST-MD5. Here is my result: my slapd.conf is: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 296 pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args # Misc Security Settings password-hash {SSHA} # Load dynamic backend modules: modulepath /usr/local/openldap/libexec/openldap moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### sasl-regexp uid=(.*),cn=abc.com,cn=digest-md5,cn=auth uid=$1,ou=network,dc=abc,dc=com database bdb suffix "dc=abc,dc=com" rootdn "cn=rootldap,dc=abc,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}QBEsoednrePQ/Lu5a90Nv4hbsC+BWVkK # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/openldap/var/openldap-data mode 0600 # Indices to maintain index objectClass eq index uid eq index cn,gn,mail eq,sub index sn eq,sub index ou eq index default eq,sub I want to store secret in LDAP directory, so i use password-hash {SSHA}. I think if i use to ./slapadd that mean a store secret in SASLdb, but i just want it in LDAP directory, so I use: ./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f quanly.ldif -W ./ldapadd -x -D cn=rootldap,cn=abc,cn=com -f nhanvien.ldif -W and it successfull. When i try to use ldapsearch: ./ldapsearch -Y digest-md5 -U khanhnq SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database It said that no secret in database while I used ./ldapadd to add it... I... I really don't understand about digest-md5. I'm so stupid... Please help, My nhanvien.ldif: dn: cn=Khanh Nguyen,ou=network,dc=abc,dc=com objectclass: inetOrgPerson cn: Khanh Nguyen cn: Khanh Nguyen Quoc sn: Khanh uid: khanhnq userpassword: 123456 mail: khan...@abc.com mail: nqk28...@yahoo.com mail: khan...@saigontech.edu.vn ou: network dn: cn=Tai Tran,ou=network,dc=abc,dc=com objectclass: inetOrgPerson cn: Tai Tran cn: Tai Tran Tuan sn: Tai uid: taitt userpassword: 123456 mail: ta...@abc.com mail: ta...@saigontech.edu.vn ou: network dn: cn=Nam Le,ou=network,dc=abc,dc=com objectclass: inetOrgPerson cn: Nam Le cn: Nam Le Quoc sn: Nam uid: namlq userpassword: 123456 mail: na...@abc.com mail: na...@saigontech.edu.vn ou: network .... Best Regards, -- *********************************** EVERYTHING HAS JUST BEGUN...
