The Secure Authentication functionality of LDAP is not necessary when making simple binds to the access the directory. For example, if only very simple read-only access is permitted across a network, there may be no need for SASL.
However, it's often useful to allow a combination of simple binds and SASL mechanisms for user connections. For example, we might want to allow most users (who are only allowed to look up data) to authenticate via a simple bind, while requiring administrators (who are allowed to change data) to authenticate via SASL.
slapd.conf has three SASL-related global options. These are:
sasl-host is the fully qualified domain name of the host used for SASL authentication. For local authentication mechanisms such as DIGEST-MD5, this will be the host and domain name of the slapd server. sasl-realm</i> is the SASL domain used for authentication. If you are unsure of this value, use <i>sasldblistusers</i> to dump the /etc/sasldb database and obtain the realm name to use.
The third parameter, <code>sasl-secprops, allows you to define various conditions that affect SASL security properties. The possible values for this parameter are given in bellow (note that it is legel to use multiple values in combination)
None
Clears the default security properties.
noplain
Disables mechanisms vulnerable to passive attacks, such as viewing network packets to examine passwords. (One of the default settings)
noanonymous
Disables mechanisms that support anonymous login. (the other default setting)
noactive
Disables mechanisms vulnerabe to active attacks.
nodict
Disables mechanisms that are vulnerable to dictionary-based password attacks.
forwardsec
Requires forward secrecy between sessions.
passcred
Requires mechanisms that pass client credentials.
There are others, which will not be covered in this course, listed on page 43 of the book. Additionally, to fully understand most of these settings, you may have to consult table 3-4 of the book (page 44).
The root DN
The naming of the root DN is arbitrary, although the cn value of "admin" and "Manager" have become common choices. The root DN also requires a corresponding root password (rootpw), which can be stored in clear text or encrypted form using one of the prefixes accepted by the password-hash paramter. OpenLDAP provides the slappasswd utility for generating {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA} passwords. It is best not to place the plain text password in slapd.conf regardless of what the permissions are. Even if the password is encrypted, it is extremely important not to allow unauthorized access to the slapd.conf file.
## Define a root DN for superuser
rootdn "cn=admin,dc=odyssey,dc=com"
## Define a root DN password
rootpw {SSHA}W6fEBIjx9rCgxnNImtvpvr2j8K6dKGUN?
The above entries define an admin root DN with a password of 'cpasswd', which is what we will be using in this class.
Maintaining Indexes for better searching
To better support searches, it can be helpful to define indexes for the LDAP server to maintain. Indexes improve speed and response when searching through large or complicated directories.
The basic format for specifying indexes in slapd.conf is as follows:
index attributeindex type
where attribute is the attribute to index, and index type is the type of index to create (one of "eq" for equality, "sub" for substrings, or others which are detailed in the book, but which we will not cover here).
So, for exampl,e if we wanted to optimize our directory for employee searches, we would include
index objectClass eq
index cn,sn,mail eq,sub
index departmentNumber eq
