Securing openLDAP SASL authentication

From Notes_Wiki

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > SASL authentication

Managing password stored in DIT

To modify or set ldap passwords using slapd.conf (rootpw) or ldapmodify/ldapadd (userPassword) one can use slappasswd utility. To change password using slappasswd use following steps:

  1. Run 'slappasswd' command and enter the desired password twice.
  2. Copy the output password usually protected using {SSHA} including the {SSHA} tag and paste it in 'slapd.conf' file or in ldif file to be used with 'ldapadd' or 'ldapmodify'
  3. Restart slapd in case root password was changed or run 'ldapmodify' or 'ldapadd' in case of userPassword being modified in ldif format.

The advantage of this approach over storing plain-text password is that even if password-database is lost, it would take sometime for users to recover their passwords. Use of cleartext passwords is not recommended. Note that ldapsearch output will display passwords in base64 encoded format. Hence use base64_decode function to get the stored password in format usable by other programs.


Other supported password formats

LDAP also supports {CRYPT} format for storing passwords. Hence passwords from shadow files can be prepended with tag {CRYPT} and then stored in ldap database. Use of {CRYPT} is recommended only for migration. Use of {SSHA} is recommended for other operations. However, if for some reason {CRYPT} passwords are desired then they can be generated using:

openssl passwd -1 -salt <salt>

For example, 'openssl passwd -1 -salt $(mkpasswd -l 8 -s 0)' can be used to get a random salt from 'mkpasswd' and then combine it with user password to get md5crypt password.

Even 'slappasswd' is capable of generating passwords in various schemes such as {MD5}, {SMD5}, {SHA}, {SSHA}, {CRYPT}, etc. Hence it can also be used in place of 'openssl' to generate crypt passwords.


Configuring digest-md5 and cram-md5 based SASL authentication

To configure digest-md5 or cram-md5 based SASL authentication use following steps:

  • 'yum -y intall cyrus-sasl-md5'
  • Modify 'slapd.conf' file and add following lines before PidFile configuration
    authz-regexp "uid=(.+),cn=cram-md5,cn=auth"
    "ldap:///ou=people,dc=sbarjatiya,dc=com??sub?(uid=$1)"
    authz-regexp "uid=(.+),cn=digest-md5,cn=auth"
    "ldap:///ou=people,dc=sbarjatiya,dc=com??sub?(uid=$1)"
    Note that through SASL ldap will receive dn of the form uid=<username>,[[cn=<realm>,[cn=mechanism]],cn=auth which should be converted to either a dn: or to a ldap search query in form of ldap URL. The ldap search query must return only single entry for authentication to work. Now since dn is usually created with cn (common name) and login username is usually stored in uid, the search method using ldap URL format is more usable. If entries were stored with dn in the form "uid=<uid>,ou=people,dc=sbarjatiya,dc=com" then the replace could have been "dn:uid=$1,ou=people,dc=sbarjatiya,dc=com" as well.
  • Restart slapd

The above configuration will work only if passwords are stored in LDAP database in {CLEARTEXT} mechanism. Hence if while testing password of user with uid=saurabh.barjatiya is stored using {CRYPT} or {SSHA} then first replace it with plain-text password with ldif file as given below and then try the authentication.

Note that digest-md5 is safer than cram-md5. Both digest-md5 and cram-md5 use challenge-response mechanism for authentication. But in digest-md5 session key expires when session is closed or teminated, requiring re-authentication for every new session, which makes it more secure.


Storing plain-text passwords in DIT

Sample ldif file to replace existing password with clear-text password:

dn: cn=Saurabh Barjatiya,ou=People,dc=sbarjatiya,dc=com
changeType: modify
replace: userPassword
userPassword: iiit123

Also note that if password is not in plain-text then the authentication will fail with following error:

dap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database

To indicate that password should be stored in plain-text one can add:

password-hash 	{CLEARTEXT}

configuration line in 'slapd.conf'. Note that this would not affect normal ldapadd or modify operations on stored password. It is only meant for ldap password modfiy extended operations.


Testing SASL username based authentication

Test SASL username based authentication using command

ldapsearch -ZZ -Y digest-md5 -U <username> '(cn=Saurabh Barjatiya)' -W

For example, 'ldapsearch -ZZ -Y digest-md5 -U saurabh.barjatiya -W'

  • Note: Do not use -x as simple bind is not desired

Also test cram-md5 mechanism using

ldapsearch -ZZ -Y cram-md5 -U <username> '(cn=Saurabh Barjatiya)' -W



Associating username root with ldap dn

To associate username root with ldap rootdn one can use following line in 'slapd.conf' file:

authz-regexp     "uid=root,cn=.*" "dn.exact:cn=owner,dc=sbarjatiya,dc=com"

To associate username root with some other ldap user one can use:

authz-regexp     "uid=root,cn=.*" "dn.exact:cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com"

Note that above authz-regexp should be placed before generic authz-regexp "uid=(.+),cn=cram-md5,cn=auth" for things to work properly. Hence if above mentioned lines are going to be used to create a username root for authentication purposes then, the above lines should come before generic authz-regexp lines in config file.



Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > SASL authentication