How to get SASL authentication to work with DIGEST-MD5 for OpenLDAP?
My recipe is for OpenLDAP to check directly /etc/sasldb2
.
First step: ensure the /etc/sasldb2
is owned by slapd user.
Next step: have slapd
not to look for credentials in directory tree, which is done as following:
dn: cn=config
changetype: modify
replace: olcSaslAuxprops
olcSaslAuxprops: sasldb
Later, you will also need a olcAuthzRegexp
rule, but in order to test if auth works, it is not necessary.
These settings are working on Debian GNU/Linux Jessie OpenLDAP-2.4.40 builded from source.
The CRAM-MD5 and DIGEST-MD5 methods are impossible with "pwcheck_method: saslauthd". They needs plain, unencrypted passwords in a LDAP directory itself.