HP OSMS Blueprint: Directory Services on HP ProLiant Servers with SLES10

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU

This section provides the steps for configuring SASL with the DIGEST-MD5 and EXTERNAL

mechanism.

Configuring SASL with DIGEST-MD5

In the DIGEST-MD5 security mechanism, when authentication begins, the server generates a

secure message and the client sends a response proving it knows the secure message. Because

the secure message is not sent over the wire, this mechanism is more secure than Simple

Authentication.

1. Verify that the CDS test data is imported in to the directory server and slapd is running

properly.

2. Use the saslpasswd2 command on the CDS server to create a test user named osmsusr

by entering the following:

# /opt/symas/bin/saslpasswd2 -c osmsusr

3. At the prompt, enter abc123 for the password.

If no user domain is provided to saslpasswd2, the host name of the machine is used as

the default domain. If the host name is master, then the user osmsusr@master is created.

If you need to use a new domain instead of the default, enter the following command:

# /opt/symas/bin/saslpasswd2 -c osmsusr -u cds.test

After the password is entered, the user osmsusr@cds.test is created.

4. Run the sasldblistusers2 command to verify that the test user is successfully stored in

the SASL sasldb database:

# /opt/symas/bin/sasldblistusers2

The following is displayed:

osmsusr@master: userPassword

5. On the CDS client machine, use the ldapsearch command with DIGEST-MD5 to query

the directory server, on host master, by entering the following:

# /opt/symas/ldapsearch -Y digest-md5 -U osmsusr@master -h \

master -b 'dc=example,dc=com' -s base -LLL

6. For the user osmsusr@master, enter the test password abc123

The following is displayed:

SASL/DIGEST-MD5 authentication started

Please enter your password:

SASL username: osmsusr@master

SASL SSF: 128

SASL installing layers

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

dc: example

o: example

Mapping SASL Users to Distinguish Names

When DIGEST-MD5 is used for authentication, all user names are stored in SASL's own database.

The user names are in the namespace of the authentication mechanism, and not in the normal

LDAP namespace. Each user name is reformatted into a request Distinguish Name (DN) in the

following form:

uid=<username>, cn=<realm>, cn=<mechanism>, cn=auth

If no realm is used, which means no sasl-realm property is configured in the slapd.conf

file, then the request of DNs for SASL users is in the following form:

Setting up Security for the CDS Server 23