supportedSaslMechanisms during ADD

[VANOLE, MICHAEL J]

Greetings,

 

This might be more of an ldap question, but I’m going to try this list.

 

I use net ldap to create new users on Sun One Directory v7 (ODSEE), and on openldap.

 

With ODSEE I’m able to specify which sasl mechanism I want a user to have like so:

 

                $adduser = $ldap->add( $user_dn,

                        attr => [

                        'uid'                           => $ldap_uid,

                        'cn'                            => "$ldap_last_name $ldap_first_name",

                        'givenname'                     => $ldap_first_name,

                        'sn'                            => $ldap_last_name,

                        'objectclass'                   => ['top','person','organizationalPerson','inetorgperson'],

                        'userpassword'                  => $userpass,

                        'nsaccountlock'                 => 'false',

                        'supportedsaslmechanisms'       => 'cn=default,cn=DIGEST-MD5,cn=identity mapping,cn=config'

                        ]);

 

With openldap this fails with a message about sasl mechanism can only be applied to rootdse.

I have several supported mechanisms I can choose from. Part of the problem might be I don’t know the ‘cn’ for them as I have above, so I tried this:

 

                $adduser = $ldap->add( $user_dn,

                        attr => [

                        'uid'                           => $ldap_uid,

                        'cn'                            => "$ldap_last_name $ldap_first_name",

                        'givenname'                     => $ldap_first_name,

                        'sn'                            => $ldap_last_name,

                        'objectclass'                   => ['top','person','organizationalPerson','inetorgperson'],

                        'userpassword'                  => $userpass,

                        'supportedsaslmechanisms'       => 'DIGEST-MD5'

                        ]);

 

Should this work with openldap if I had the full hierarchy path the the sasl mechanism? What would that be on openldap if so?

 

Many thanks

Mike

 

 

[Dieter Klünter]

Am Thu, 9 Oct 2014 13:51:33 +0000
schrieb "VANOLE, MICHAEL J" <mv5...@att.com>:

If OpenLDAP has been compiled with cyrus-sasl, sasl mechanism are
declared in $HOME/sasl2/slapd.conf. On Linux this would
be /usr/lib/sasl2/slapd.conf or /etc/sasl2/slapd.conf. Read the
cyrus-sasl docs
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/sysadmin.php
and openldap docs
http://www.openldap.org/doc/admin24/sasl.html

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

[VANOLE, MICHAEL J]

Thanks Dieter,

Our ldap is compiled with sasl, but I don't think I asked the question correctly.

Sun One must be doing the MD5 (or whatever) encryption locally and applying the userPassword that way. I just have to specify what I want via the supportedSaslMechanisms attribute. Openldap does not like this.

[Our] Openldap is defaulting to plaintext, and I wanted to apply a better default - at least MD5, and I wanted to be able to override plaintext during the user add process shown below using net ldap. Doing this I can have different encryptions for different users or user types on the same ldap, though I'm not sure why I would do this.

I did not find anything I could configure on ldap as a better default so I will encrypt the password and specify the encrypted version during the user add. There are two ways I found I can to do this:

1. use the slappasswd utility to create the password
$userpass = qx!/usr/local/sbin/slappasswd -s $clearpass -h {MD5}!;

2. This excellent help: http://blog.gauner.org/blog/2010/12/19/handling-salted-passwords-in-perl/ using the ldap_md5 subroutine (I'm sure the others work just as well)
$userpass = "{MD5}" . pad_base64( Digest::MD5::md5_base64($clearpass) );

Then pass then as shown below. Both work great, though I'm sure there is something to be cautious about.

I guess I was hoping for an answer where my second solution was in some way supported in net ldap. I'm not sure this is possible, or practical.

Mike

[Quanah Gibson-Mount]

--On Thursday, October 16, 2014 12:08 AM +0100 Chris Ridd
<chri...@mac.com> wrote:

> Anyway, this is mostly not related to Net::LDAP - you need to talk to the
> OpenLDAP folks to see if they will help you.

OpenLDAP defaults to using SSHA as the password hashing mechanism. If your
system is hashing it in cleartext, then you are:
(a) updating the userPassword value via the rootdn,

or

(b) updating userPassword without correctly using the LDAP Password Modify
Extended Operation

or

(c) modified your slapd configuration to not use SSHA as the default

>From the cn=config man page:

olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used
in
generation of user passwords stored in the
userPassword
attribute during processing of LDAP Password Modify
Extended
Operations (RFC 3062). The <hash> must be one of {SSHA},
{SHA},
{SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is
{SSHA}.

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the
latter with a seed.

{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter
with a seed.

{CRYPT} uses the crypt(3).

{CLEARTEXT} indicates that the new password should be added
to
userPassword as clear text.

Note that this option does not alter the normal
user
applications handling of userPassword during LDAP Add,
Modify,
or other LDAP operations. This setting is only allowed in
the
frontend entry.

--Quanah

--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration