Difference between revisions of "TSLAuth"

From Department of Computer Science
Line 1: Line 1:
 
 
This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
 
This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
  
Line 25: Line 24:
 
- When userPassword attribute begins with {SASL} slapd passes authentication over the the libsasl2 libraries.
 
- When userPassword attribute begins with {SASL} slapd passes authentication over the the libsasl2 libraries.
 
- chmod a+rx /var/run/saslauthd and /etc/init.d/apparmor stop so that slapd can read the saslauthd socket
 
- chmod a+rx /var/run/saslauthd and /etc/init.d/apparmor stop so that slapd can read the saslauthd socket
 +
- Before starting saslauthd export TLS_REQCERT=allow
 +
 
- Note
 
- Note
  

Revision as of 15:11, 22 December 2009

This document is based on information at http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

On saco1:

Install slapd, sasl2-bin (for saslauthd)

Slapd Configuration

/etc/ldap/slapd.conf (slapd configuration file): Nothing special required.

To run the maximum debugging:

slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 65535

Create a user object and set the userPassword attribute to {SASL}username where username is the username on the remote LDAP system.

SASL2 and Saslauthd Configuration

/usr/lib/sasl2/slapd.conf (libsasl2 configuration file):

mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux

Notes: - When userPassword attribute begins with {SASL} slapd passes authentication over the the libsasl2 libraries. - chmod a+rx /var/run/saslauthd and /etc/init.d/apparmor stop so that slapd can read the saslauthd socket - Before starting saslauthd export TLS_REQCERT=allow

- Note

/etc/saslauthd.conf:

ldap_servers: ldap://callisto.cs.uct.ac.za/ ldap_version: 3 ldap_search_base: ou=people,dc=cs,dc=uct,dc=ac,dc=za ldap_scope: sub ldap_auth_method: bind ldap_filter: (uid=%u)