The following procedure explains how to configure Directory Server to use DIGEST-MD5.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Use the ldapsearch command to verify that DIGEST-MD5 is a value of the supportedSASLMechanisms attribute on the root entry.
For example, the following command shows which SASL mechanisms are enabled:
$ ldapsearch -h host -p port -D cn=admin,cn=Administrators,cn=config -w - \ -s base -b "" "(objectclass=*)" supportedSASLMechanisms Enter bind password: dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI ^D |
If DIGEST-MD5 is not enabled, enable it.
$ ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w - Enter bind password: dn: cn=SASL, cn=security, cn=config changetype: modify add: dsSaslPluginsEnable dsSaslPluginsEnable: DIGEST-MD5 - replace: dsSaslPluginsPath dsSaslPluginsPath: SASL-library ^D |
where SASL-library is one of the following:
/usr/lib/mps/sasl2
install-path/dsee6/private/lib
Use the default identity mapping for DIGEST-MD5, or create new ones.
For information, see DIGEST-MD5 Identity Mappings.
Ensure that the password is stored in {CLEAR} for all users who will access the server through SSL using DIGEST-MD5.
See Chapter 7, Directory Server Password Policy for password storage schemes.
If you modified the SASL configuration entry or one of the DIGEST-MD5 identity mapping entries, restart Directory Server.