Securing openLDAP SASL authentication
Securing openLDAP SASL authentication
Managing password stored in DIT
To modify or set ldap passwords using slapd.conf (rootpw) or ldapmodify/ldapadd (userPassword) one can use slappasswd utility. To change password using slappasswd use following steps:
- Run 'slappasswd' command and enter the desired password twice.
- Copy the output password usually protected using {SSHA} including the {SSHA} tag and paste it in 'slapd.conf' file or in ldif file to be used with 'ldapadd' or 'ldapmodify'
- Restart slapd in case root password was changed or run 'ldapmodify' or 'ldapadd' in case of userPassword being modified in ldif format.
The advantage of this approach over storing plain-text password is that even if password-database is lost, it would take sometime for users to recover their passwords. Use of cleartext passwords is not recommended. Note that ldapsearch output will display passwords in base64 encoded format. Hence use base64_decode function to get the stored password in format usable by other programs.
Other supported password formats
LDAP also supports {CRYPT} format for storing passwords. Hence passwords from shadow files can be prepended with tag {CRYPT} and then stored in ldap database. Use of {CRYPT} is recommended only for migration. Use of {SSHA} is recommended for other operations. However, if for some reason {CRYPT} passwords are desired then they can be generated using:
openssl passwd -1 -salt <salt>
For example, 'openssl passwd -1 -salt $(mkpasswd -l 8 -s 0)' can be used to get a random salt from 'mkpasswd' and then combine it with user password to get md5crypt password.
Even 'slappasswd' is capable of generating passwords in various schemes such as {MD5}, {SMD5}, {SHA}, {SSHA}, {CRYPT}, etc. Hence it can also be used in place of 'openssl' to generate crypt passwords.
Configuring digest-md5 and cram-md5 based SASL authentication
To configure digest-md5 or cram-md5 based SASL authentication use following steps:
- 'yum -y intall cyrus-sasl-md5'
- Modify 'slapd.conf' file and add following lines before PidFile configuration
- authz-regexp "uid=(.+),cn=cram-md5,cn=auth"
- "ldap:///ou=people,dc=sbarjatiya,dc=com??sub?(uid=$1)"
- authz-regexp "uid=(.+),cn=digest-md5,cn=auth"
- "ldap:///ou=people,dc=sbarjatiya,dc=com??sub?(uid=$1)"
- Note that through SASL ldap will receive dn of the form uid=<username>,[[cn=<realm>,[cn=mechanism]],cn=auth which should be converted to either a dn: or to a ldap search query in form of ldap URL. The ldap search query must return only single entry for authentication to work. Now since dn is usually created with cn (common name) and login username is usually stored in uid, the search method using ldap URL format is more usable. If entries were stored with dn in the form "uid=<uid>,ou=people,dc=sbarjatiya,dc=com" then the replace could have been "dn:uid=$1,ou=people,dc=sbarjatiya,dc=com" as well.
- Restart slapd
The above configuration will work only if passwords are stored in LDAP database in {CLEARTEXT} mechanism. Hence if while testing password of user with uid=saurabh.barjatiya is stored using {CRYPT} or {SSHA} then first replace it with plain-text password with ldif file as given below and then try the authentication.
Note that digest-md5 is safer than cram-md5. Both digest-md5 and cram-md5 use challenge-response mechanism for authentication. But in digest-md5 session key expires when session is closed or teminated, requiring re-authentication for every new session, which makes it more secure.
Storing plain-text passwords in DIT
Sample ldif file to replace existing password with clear-text password:
dn: cn=Saurabh Barjatiya,ou=People,dc=sbarjatiya,dc=com changeType: modify replace: userPassword userPassword: iiit123
Also note that if password is not in plain-text then the authentication will fail with following error:
dap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
To indicate that password should be stored in plain-text one can add:
password-hash {CLEARTEXT}
configuration line in 'slapd.conf'. Note that this would not affect normal ldapadd or modify operations on stored password. It is only meant for ldap password modfiy extended operations.
Testing SASL username based authentication
Test SASL username based authentication using command
ldapsearch -ZZ -Y digest-md5 -U <username> '(cn=Saurabh Barjatiya)' -W
For example, 'ldapsearch -ZZ -Y digest-md5 -U saurabh.barjatiya -W'
- Note: Do not use -x as simple bind is not desired
Also test cram-md5 mechanism using
ldapsearch -ZZ -Y cram-md5 -U <username> '(cn=Saurabh Barjatiya)' -W
Associating username root with ldap dn
To associate username root with ldap rootdn one can use following line in 'slapd.conf' file:
authz-regexp "uid=root,cn=.*" "dn.exact:cn=owner,dc=sbarjatiya,dc=com"
To associate username root with some other ldap user one can use:
authz-regexp "uid=root,cn=.*" "dn.exact:cn=Saurabh Barjatiya,ou=people,dc=sbarjatiya,dc=com"
Note that above authz-regexp should be placed before generic authz-regexp "uid=(.+),cn=cram-md5,cn=auth" for things to work properly. Hence if above mentioned lines are going to be used to create a username root for authentication purposes then, the above lines should come before generic authz-regexp lines in config file.