Setting up saslauthd
saslauthdis a daemon process that handles plaintext authentication requests on behalf of the SASL library.
In LDAP authentication, the
saslauthd process handles authentication requests on behalf of Couchbase Server while the LDAP protocol is used to connect to the LDAP server.
Remote authentication with the LDAP server requires proper configuration of the
Install your Unix operating system with the package that is supported for LDAP integration.
Make sure that you have the prerequisites for the LDAP software you are installing, such as OpenLDAP libraries.
On RPM-based distros, installation packages are a part of
cyrus-sasl rpm, so make sure that it is installed.
- CentOS 6
saslauthd 2.1.23or higher
- CentOS 7
saslauthd 2.1.26or higher
saslauthd 2.1.25or higher
saslauthd 2.1.23or higher
Make sure your LDAP setup is working by running a test
ldapsearch as follows:
ldapsearch -LLL -H ldap://ldapserver:389 -D cn=someuser,ou=users,dc=mydomain,dc=com -w Passw0rd -x -bou=users,dc=mydomain,dc=com cn=someuser
Install the saslauthd package on your operating system.
On Ubuntu, install
saslauthd with the following command:
sudo apt-get install sasl2-bin
Ensure that the Couchbase Cluster is running. Then, enable external authentication on the cluster, using the Couchbase CLI
setting-ldapcommand: specifying server IP-address and port number, username and password:
$ couchbase-cli setting-ldap -c 10.142.170.101:8091 -u Administrator -p passw0rd --ldap-enabled 1
--ldap-enabled 1enables external authentication, and
--ldap-enabled 0disables. See setting-ldap for further information. When successfully executed, the command provides the following notification:
SUCCESS: LDAP settings modified.
Red Hat Enterprise Linux, CentOS, and Amazon Linux AMI edit /etc/sysconfig/saslauthd (
/etc/default/saslauthdon Debian/Ubuntu) to set the mechanism
Ubuntu and Debian edit /etc/default/saslauthd, setting
On Debian and Ubuntu, you should also add Couchbase to the
sudo adduser couchbase sasl
The default configuration file used to obtain the LDAP configuration parameters is located at /usr/local/etc/saslauthd.conf. Open this in your editor of choice.
Specify URIs of the LDAP servers used for authentication, such as
ldap://10.1.1.12/. Multiple LDAP servers can be specified in the list, which is then tested to find out whether one of the servers is offline. If you install OpenLDAP on the local host machine, you can specify the value
If using LDAP over SSL, you can specify the value
ldap_servers: ldaps://10.1.1.25 ldaps://10.1.1.15
Specify the distinguished name to which the search is relative. The search includes the base or objects below.
It also includes Domain Components (
dc) such as in
The administrative users created in LDAP with the attribute
uidare placed under the user’s organizational unit
ouunder the two domain components (
Specify the search filter. The values for these configuration options correspond to the values specific to the test. For example, to filter on email specify
Configure LDAP options
ldap_servers: ldaps://ad.example.net ldap_search_base: ou=Users,dc=example,dc=com ldap_filter: (uid=%u)
For sasld to run automatically on start up, you’ll need to change the
START = yes
If the connection is properly working, the user
couchbasemust have access to /var/run/saslauthd/mux (or the appropriate alternate directory for SUSE), in order to communicate to
Start the saslauthd service (or set it to start automatically with
$ sudo service saslauthd restart Stopping saslauthd: [ OK ] Starting saslauthd: [ OK ] chkconfig saslauthd on chkconfig --list saslauthd saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthdby using the
testsaslauthscript to test LDAP authentication:
$ sudo -u couchbase /usr/sbin/testsaslauthd -u <username> \ -p mypassword -f /var/run/saslauthd/mux 0: OK "Success."
Restart the Couchbase service, to allow authentication through the changed configuration.
$ sudo service couchbase-server restart
Putting the above steps into typical configuration files:
cat /etc/saslauthd.conf # ldap_servers: ldap:<URI>:<PORT> or ldaps:<URI>:<PORT> for TLS protected connection ldap_servers: ldap://my.company.com:389 # The administrative users created in LDAP with the attribute uid are placed under the user's # organizational unit ou under the two domain components (example and com). OU=InteractiveUsers,DC=my,DC=company,DC=com # Specifies the search filter. The values for these configuration options correspond to the # values specific to the test ldap_filter: uid=%u # Optional: specify a user to perform ldap queries ldap_bind_dn: CN=user_ldap,OU=Users,DC=my,DC=company,DC=com # Optional: specify ldap user’s password ldap_password: -sEcReTp#AssWoRd!
cat /etc/sysconfig/saslauthd # Just keep the default SOCKETDIR=/var/run/saslauthd # Make sure MECH is set to ldap (pam is default) MECH=ldap # Include the config file described above FLAGS="-O /etc/saslauthd.conf"
A common requirement is to delegate some or all authentication to another LDAP server.
Here is a sample
saslauthd configuration that uses Microsoft Active Directory (AD) as the LDAP server:
Here is a sample
saslauthd configuration with Microsoft Active Directory (AD):
ldap_servers: ldap://dc1.example.com:<port> ldap_search_base: cn=Users,DC=ad,DC=example,DC=com ldap_filter: sAMAccountName=%u ldap_bind_dn: cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com ldap_password: secret
After you set up the LDAP server,
saslauthd, and LDAP administrators, likely causes of problems include:
Firewall ports are not open for LDAP.
The Proxy did not start or has started with an inappropriate protocol or hostname.
The configuration of saslauthd is incorrect (look at /etc/sysconfig/saslauthd or /etc/saslauthd.conf)
The LDAP filters are not correct.
You can also encounter error messages from the system. These errors belong either to issues caused by
saslauthdor the LDAP server.