Enable SASL Authentication on OpenLDAP Server

 

• Note: This document is based on Debian 4.0 etch.

1. Install SASL2 packages
   • apt-get install sasl2-bin libsasl2-modules
2. Modify /etc/default/saslauthd
   • vim /etc/default/saslauthd
     • START=yes
     • MECHANISMS="pam"
3. Configure OpenLDAP server to use SASL
   • vim /etc/ldap/slapd.conf
     • sasl-realm NEUROIMAGING.ORG.AU
     • sasl-host supertower.neuroimaging.org.au
     • authz-regexp uid=admin,cn=neuroimaging.org.au,cn=.+ cn=admin,dc=neuroimaging,dc=org,dc=au
     • authz-regexp uid=(.*),cn=neuroimaging.org.au,cn=.+ uid=$1,ou=People,dc=neuroimaging,dc=org,dc=au
     • sasl-secprops none
4. Configure LDAP client
   • vim /etc/ldap/ldap.conf
     • SASL_SECPROPS none
     • SASL_REALM NEUROIMAGING.ORG.AU
5. See also LDAPv3 How To
   • Note:
     • In openldap 2.3, authz-regexp replaces sasl-regexp
     • You may need to enable ldap server logging, see debian-ldap-server-setup
     • You may need to chgrp openldap /etc/sasldb2 to grant access to ldap server.

• Note: The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received. Openldap Amin Guide, 12.2.1.8.