SASL
Introduction
SASL is supported using OpenLDAP Java Backend.
Problem
Assuming you have a subtree in Penrose, for example ou=Users,dc=SASL,dc=Example,dc=com, which maps users from an external datasource. We want to allow these users to authentication to Penrose via SASL using DIGEST-MD5 mechanism.
Solution
First, make sure that the userPassword attribute of the Penrose users is in clear text. Also make sure the Penrose ACL on this subtree allows anonymous user to read the userPassword attribute. This is needed by OpenLDAP when validating the password. This could be a security hole, but it is fixed below using OpenLDAP's ACL.
Next edit slapd.conf, configure a Penrose backend in OpenLDAP:
database java class "org.safehaus.penrose.openldap.PenroseBackend" libpath "c:/usr/local/penrose-server-1.0.4/lib" libpath "c:/usr/local/penrose-server-1.0.4/lib/ext" property "penrose.home" "c:/usr/local/penrose-server-1.0.4" suffix "dc=Example,dc=com" suffix "ou=system"
When a user tries to authenticate using SASL, it will be assigned an authentication DN in the form: uid=<username>,cn=digest-md5,cn=auth.
Create a mapping in slapd.conf to map the authentication DN into the actual Penrose entry, for example:
sasl-regexp uid=([^,]*),cn=digest-md5,cn=auth uid=$1,ou=Users,dc=SASL,dc=Example,dc=com
Finally configure OpenLDAP's ACL to prevent anonymous users from reading the clear text password, for example:
access to *
by dn.one=ou=Users,dc=SASL,dc=Example,dc=com read
by dn.base=uid=admin,ou=system write
by anonymous auth
Start OpenLDAP, run the following command:
ldapsearch -x -b "dc=Example,dc=com"
Anonymous users should not be able to see the directory.
ldapsearch -Y DIGEST-MD5 -U swhite -b "dc=Example,dc=com"
SASL/DIGEST-MD5 authentication started
Please enter your password:
Authenticated users should be able to see the directory.