Enable SASL Authentication on OpenLDAP Server
  • Note: This document is based on Debian 4.0 etch.

  1. Install SASL2 packages
    • apt-get install sasl2-bin libsasl2-modules
  2. Modify /etc/default/saslauthd
    • vim /etc/default/saslauthd
      • START=yes
      • MECHANISMS="pam"
  3. Configure OpenLDAP server to use SASL
    • vim /etc/ldap/slapd.conf
      • sasl-realm NEUROIMAGING.ORG.AU
      • sasl-host supertower.neuroimaging.org.au
      • authz-regexp uid=admin,cn=neuroimaging.org.au,cn=.+ cn=admin,dc=neuroimaging,dc=org,dc=au
      • authz-regexp uid=(.*),cn=neuroimaging.org.au,cn=.+ uid=$1,ou=People,dc=neuroimaging,dc=org,dc=au
      • sasl-secprops none
  4. Configure LDAP client
    • vim /etc/ldap/ldap.conf
      • SASL_SECPROPS none
      • SASL_REALM NEUROIMAGING.ORG.AU
  5. See also LDAPv3 How To
    • Note:
      • In openldap 2.3, authz-regexp replaces sasl-regexp
      • You may need to enable ldap server logging, see debian-ldap-server-setup
      • You may need to chgrp openldap /etc/sasldb2 to grant access to ldap server.
  • Note: The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default TLSVerifyClient setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received. Openldap Amin Guide, 12.2.1.8.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License