- Note: This document is based on Debian 4.0 etch.
- Install SASL2 packages
- apt-get install sasl2-bin libsasl2-modules
- Modify /etc/default/saslauthd
- vim /etc/default/saslauthd
- START=yes
- MECHANISMS="pam"
- vim /etc/default/saslauthd
- Configure OpenLDAP server to use SASL
- vim /etc/ldap/slapd.conf
- sasl-realm NEUROIMAGING.ORG.AU
- sasl-host supertower.neuroimaging.org.au
- authz-regexp uid=admin,cn=neuroimaging.org.au,cn=.+ cn=admin,dc=neuroimaging,dc=org,dc=au
- authz-regexp uid=(.*),cn=neuroimaging.org.au,cn=.+ uid=$1,ou=People,dc=neuroimaging,dc=org,dc=au
- sasl-secprops none
- vim /etc/ldap/slapd.conf
- Configure LDAP client
- vim /etc/ldap/ldap.conf
- SASL_SECPROPS none
- SASL_REALM NEUROIMAGING.ORG.AU
- vim /etc/ldap/ldap.conf
- See also LDAPv3 How To
- Note:
- In openldap 2.3, authz-regexp replaces sasl-regexp
- You may need to enable ldap server logging, see debian-ldap-server-setup
- You may need to chgrp openldap /etc/sasldb2 to grant access to ldap server.
- Note:
- Note: The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received. Openldap Amin Guide, 12.2.1.8.
No comments:
Post a Comment