OpenLDAP-SSL-HOWTO

==========================
untar rsaref20.tar.Z

download: google search for rsaref20.tar.Z

compile rsaref:
____SNIP____
# mkdir rsaref-2.0
# cd rsaref-2.0
# tar zxvf ../rsaref20.tar.Z
# cp -rp install/unix local
# cd local
# make
# mv rsaref.a librsaref.a
# cd ../..
____SNIP____


==========================
untar/compile openssl

download: http://www.openssl.org/source/openssl-0.9.6g.tar.gz
# wget http://www.openssl.org/source/openssl-0.9.6g.tar.gz

____SNIP____
# tar zxvf openssl-0.9.6g.tar.gz
# cd openssl-0.9.6g
# ./config --prefix=/usr/local/ssl \
  -L ../rsaref-2.0/local/rsaref \
  -fPIC shared rsaref
# make
# make test
# make install
# make do_gnu-shared # I had to do this to get shared libs (make linux-shared is supposed to work)
# cd ..
##
## copy libs to /usr/lib  and link appropriately like this
##(do the same for libcrypto):
##
##lrwxrwxrwx    1 root     root           15 Jun 20 13:02 /usr/lib/libssl.so -> libssl.so.0.9.6
##lrwxrwxrwx    1 root     root           15 Jun 20 13:08 /usr/lib/libssl.so.0 -> libssl.so.0.9.6
##-rwxr-xr-x    1 root     root       836109 Jun 20 13:01 /usr/lib/libssl.so.0.9.6
##
____SNIP____

==========================
mit krb5

download: http://web.mit.edu/network/kerberos-form.html
# lynx  http://web.mit.edu/network/kerberos-form.htm

____SNIP____
# tar zxvf krb5-1.2.2.tar.gz
# cd krb5-1.2.2
# ./configure --enable-shared
# make
# make check
# make install
# cd ..
# ldconfig # make sure /usr/local/lib is in ld.so.conf
____SNIP____





==========================
cyrus sasl

download: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.24.tar.gz
# wget  ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-1.5.24.tar.gz

____SNIP____
# tar zxvf cyrus-sasl-1.5.24.tar.gz
# cd cyrus-sals-1.5.24
# ./configure --enable-plain --disable-krb4 --with-pam=/lib/security
# make
# make check
# make install
# cd ..
# ln -s /usr/local/lib/sasl /usr/lib/sasl
# ldconfig # make sure /usr/local/lib is in ld.so.conf
____SNIP____





==========================
openldap

download: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.0.11.tgz
# wget ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.0.11.tgz

____SNIP____
# CPPFLAGS="-I/usr/local/ssl/include"
# LDFLAGS="-L/usr/local/ssl/lib"
# export CPPFLAGS
# export LDFLAGS
# tar zxvf openldap-2.0.11.tar.gz
# cd openldap-2.0.11
# ./configure
# make depend
# make
# make test ## took a while on my compile box (K6/2-450)
# make install
# cd ..
____SNIP____



CREDITS:

http://www.enic.fr/people/landru/lobster/openldap/OpenLDAP-authenticating-with-PAM.txt

____SNIP____
OpenLDAP authenticating against Win NT domain PDC through PAM


We are trying to build a information system using OpenLDAP 2.0.7.
Due to structural and historical (some say hysterical) reasons
we want to do the user authentication against a Windows NT PDC.

After two or three days fighting with the different environments and
parameters to make it work, I wrote this summary as a memorenda pages.

We plan to use
         OpenLDAP => SASL => PAM => pam_smb_auth(*) => NT PDC
to authenticate users

(*) I use pam_smb_auth module to authenticate against the NT domain.
There're other modules doing the same thing : pam_nt_domain and in
the future the Samba appliance WINBIND. I will soon test the latter,
if it work I 'll complete this summary.

I hope this paper will help people to save time in finding their own
correct configuration and parameters when trying to use OpenLDAP with PAM.

Part of these lines can maybe complement the OpenLDAP administrator's guide
or be used to write an "How to". I apologize for my poor english,
correction or a new writing will probably be needed...

Jacques Landru

    -----oOo-----
 Jacques Landru
   mel:  landru@enic.fr
   web:  http://www.enic.fr/people/landru
   tel:  (+33) 3 2033 5556
   fax:  (+33) 3 2033 5598

 E.N.I.C.
 Cite scientifique, rue G. Marconi
 59658 VILLENEUVE D'ASCQ  Cedex
  web: http://www.enic.fr
  Tel: (+33) 3 2033 5577
  Fax: (+33) 3 2033 5599
    -----oOo-----


                             ===== oOo =====



Step 1 : Compile and install OpenSSL
====================================
  SASL authenticate with PAM using the unsecure SASL PLAIN mode.
  In PLAIN mode passwords are exchanged in clear text. OpenSSL,
  giving secure connexions, is recommended if you use PLAIN
  mode

  - in the OpenSSL directory

    $ ./config
    $ make
    $ make test
    $ make install

  This will build and install OpenSSL in the default location,
  which is (for historical reasons) /usr/local/ssl.


Step 2 : Compile and install SASL
=================================
  As we don't have a Kerberos environment we disable this authentication
  we force argument --enable-plain and --with-pam

  - in the cyrus-sasl directory
    # ./configure  --with-pam=/lib/security --enable-plain --disable-krb4
    # make
    # make install

    As mentioned in the install script, you have to create a symbolic 
    link /usr/lib/sasl targeted to /usr/local/lib/sasl

Step 3 : create a SASLDB
========================
  As mentioned in the SASL Administrative guide CRAM-MD5 and DIGEST-MD5
  don't appear avalaible until you don't have as SASLDB. Use saslpaswd
  commande to create a user.

  - in cyrus-sasl/utils directory
    # ./saslpasswd dummyuser
     Password:
     Again (for verification):

  After that you must have the database in /etc/sasldb file

Step 4 : test SASL -> PAM authentication
========================================
  SASL library includes a sample server and a sample client applications
  for test and debug purpose.
  Before integration of SASL -> PAM in OpenLDAP, testing SASL -> PAM
  mechanisms is recommended.
  In this step we consider that pam_smb_auth is OK:
       -a) pam_smb_auth.so is present in /usr/lib/security,
       -b) file /etc/pam_smb.conf is configured with the domain
           and two servers (PDC and BDC) for authentication purposes,
       -c) in the Win NT Domain we have a valid "test" user account.

  SASL sample will be used with "sample" service name
    - a) ceate a /usr/lib/sasl/sample.conf file indicating SASL to authenticate
         the sample service using PAM. This file contains one line

         pwcheck_method: pam


    - b) in the /etc/pam.d directory create a conf PAM file named "sample"

      #%PAM-1.0
      # is used by SASL sample with SASL configured with pwcheck_method: PAM
      #
      auth        sufficient    /lib/security/pam_smb_auth.so debug nolocal
      auth        required      /lib/security/pam_deny.so
      account     sufficient    /lib/security/pam_unix.so
      account     required      /lib/security/pam_deny.so
      password    required      /lib/security/pam_cracklib.so retry=3
      password    sufficient    /lib/security/pam_unix.so nullok use_authtok md
5 shadow
      password    required      /lib/security/pam_deny.so
      session     required      /lib/security/pam_unix.so

   We are now ready to schedule the sample authenticating as the "test" NT user
.

   In two separate X terminals run cyrus sasl sample-server and sample-client
   Query/Response between sample client and sample server are made by copy/past
e
   between the two terminals.

   - a) run the server and the client
      term-1(sample-server):

        # ./sample-server -s sample
        Generating client mechanism list...
        Sending list of 4 mechanism(s)
        S: UExBSU4gQU5PTllNT1VTIERJR0VTVC1NRDUgQ1JBTS1NRDU=
        Waiting for client mechanism...


      term-2(sample-client):

        # ./sample-client -s sample -u test -a test
        service=sample
        Waiting for mechanism list from server...

   - b) copy the mechanism list (line S: UEx....NRDU=)
        from the server (term-1) and paste it to the client (term-2)
        client will then display the mechanism list PLAIN ANONYMOUS DIGEST-MD5 
CRAM-MD5
        and prompt for the password of Win NT test user

      term-2(sample-client):

        ...
        Waiting for mechanism list from server...
        S: UExBSU4gQU5PTllNT1VTIERJR0VTVC1NRDUgQ1JBTS1NRDU=
        Choosing best mechanism from: PLAIN ANONYMOUS DIGEST-MD5 CRAM-MD5
        Password:

      enter the password, client will display

        ...
        Using mechanism PLAIN
        Preparing initial.
        Sending initial response...
        C: UExBSU4AdGVzdAB0ZXN0AGFjaHR1bmc=
        Waiting for server reply...

     - c) copy the response  (line S: UEx....1bmc=)
        from the client (term-2) and paste it to the server (term-1)
        sample-server will then authenticate test user in the Win NT domain PDC
 through pam_smb_auth

      term-1(samle-server):

        ...
        Waiting for client mechanism...
        C: UExBSU4AdGVzdAB0ZXN0AGFjaHR1bmc=
        got 'PLAIN'
        Negotiation complete
        Username: test
        Realm: mycomputer.mydomain.fr
        SSF: 0


   We have now an operational SASL => PAM => PAM_SMB => NT domain PDC mechanism

Step 5 : compile and install OpenLDAP enabling cyrus SASL mechanism and SASL pa
ssword
===============================================================================
=======
          --with_cyrus_sasl and --enable-spasswd

   - in openldap directory
   # ./configure  --with-cyrus-sasl --enable-spasswd
   # make depend
   # make
   # make test
   # make install

   ... more details in OpenLDAP install file

Step 6 : configure SLAPD to use SASL PLAIN mechanism
====================================================

 In OpenLDAP the parameter named sasl-secprops is by default "noanonymous,nopla
in".
 So if you want PLAIN you should set it to "none".

 On the LDAP client side SASL mechanisms are governed by the SASL_SECPROPS para
meter
 in the /usr/local/etc/openldap/ldap.conf file

    # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:5
4:38 kurt Exp $
    #
    # LDAP Defaults
    #

    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.

    #BASE       dc=example, dc=com
    #URI        ldap://ldap.example.com ldap://ldap-master.example.com:666

    #SIZELIMIT          12
    #TIMELIMIT          15
    #DEREF              never

    SASL_SECPROPS none

 On the server side; SASL mechanisms are governed by sasl-host,
 sasl-realm and sasl-secprops parameters in the global
 configuration option part of the slapd.conf file.
 Set the sasl-secprops to "none" to clear the flag properties
 default ("noanonimous,noplain").

   ...
   #
   #  S A S L secprops
   #
   sasl-secprops none

   ...


Step 7 : configure SASL pwdcheck_methode for SLAPD service
==========================================================

 create the /usr/lib/sasl/slapd.conf file with this single line

   pwcheck_method: pam

Step 8 : configure pam parameters for slapd service using pam_smb_auth
======================================================================

 In the /etc/pam.d directory create file named "ldap" and containing

    #%PAM-1.0
    # is used by openldap slpad with SASL configured with pwcheck_method: PAM
    #
    auth        sufficient    /lib/security/pam_smb_auth.so debug nolocal
    auth        required      /lib/security/pam_deny.so
    account     sufficient    /lib/security/pam_unix.so
    account     required      /lib/security/pam_deny.so
    password    required      /lib/security/pam_cracklib.so retry=3
    password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow
    password    required      /lib/security/pam_deny.so
    session     required      /lib/security/pam_unix.so

Step 9 : Verify which SASL mechanisms are presented by slapd server
===================================================================

 To see the SASL mechanisms supported by the server you can use ldapsearch comm
and in two ways

  -a) use ldapserch with debug level set to 2
      you will then see int the PDU trace which mecanisms are listed

      # /usr/local/bin/ldapsearch -d 2

  -d) do a ldapsearch on the supportedSASLMechanisms attribute of the DSE

      # /usr/local/bin/ldapsearch -x -L -s "base" -b "" supportedSASLMechanisms

      version: 1

      #
      # filter: (objectclass=*)
      # requesting: supportedSASLMechanisms
      #

      #
      dn:
      supportedSASLMechanisms: PLAIN
      supportedSASLMechanisms: ANONYMOUS
      supportedSASLMechanisms: DIGEST-MD5
      supportedSASLMechanisms: CRAM-MD5

      # search result

      # numResponses: 2
      # numEntries: 1


Step 10 : Make a LDAP query with the Win NT test user
=====================================================

      # /usr/local/bin/ldapsearch -L -b "dc=enic,dc=fr" -U test -X test  "(obje
ctclass=*)"

      SASL/PLAIN authentication started
      Please enter your password:
      SASL username: test
      SASL realm: mycomputer.mydomain.fr
      SASL SSF: 0
      version: 1

      #
      # filter: (objectclass=*)
      # requesting: ALL
      #
      ...

(note : in the above example replace b "dc=enic,dc=fr" with the right base of y
our server).


Step 11 : Securing clear-text password exchange (Need to be completed...)
=========================================================================

*** W A R N I N G ****
clear text password exchange (SASL PLAIN mode) should be avoided.

Activation of SSL or TLS mechanisms (using openSSL) needs to be activated

this paper needs to be completed !!!


                             ===== oOo =====
____SNIP____