RE: LDAP auth failure

From: Chapman, Kyle (no email)
Date: Tue Nov 27 2007 - 11:01:05 EST

  • Next message: Gary Mills: "How to synchronize Kerberos and SASL passwords?"

    Example: /usr/local/bin/ldapsearch -Y digest-md5 -U herm14266x -s base
    -b ""

    If things are set for digest-md5 use for the user in the directory (see
    the opneldap doc), you should be able to get a good sasl bind (if sasl
    is working ok). The ldapsearch you showed was a simple bind as opposed
    to a sasl bind which might use gssapi (AD, krb5), digest/cram-md5,
    etc...

    Note that ldap+sasl validation is kind of jumping sasl checks on its
    own. If it works, then you MIGHT be able to think all of sasl is ok.
    Others can say with more certainty if that is the case. Check this next
    statement with openldap doc, as I recall digest/cram-md5 required the
    password (shared secret if you prefer) be stored in cleartext in the
    directory. Not sure if that is an issue in this case. The slapd.conf
    passwd is the rootdn passwd, which is not required, you can use sasl
    mechs for this instead (see the openldap doc, many many options here).

    -----Original Message-----
    From: Shelley Waltz [mailto:]
    Sent: Monday, November 26, 2007 1:31 PM
    To: Chapman, Kyle
    Cc:
    Subject: RE: LDAP auth failure

    installed

    [root at roadrunner src]# rpm --install cyrus-sasl-ldap-2.1.22-4.i386.rpm
    [root at roadrunner src]# rpm --install cyrus-sasl-md5-2.1.22-4.i386.rpm

    and stop/start ldap and saslauthd
    results are the same.

    regarding doing sasl binds with ldapsearch, I am somewhat confused.
    the rootdn == roadrunner.cabm.rutgers.edu password in the slapd.conf
    file is in {MD5}, however, the userPassword for each uid are in {CRYPT}
    in my LDAP database.

    What ldapsearch?

    On Mon, 26 Nov 2007, Chapman, Kyle wrote:

       Your first ldapsearch example was with a non sasl bind (-x). Try
       ldapsearch -Y <sasl mech> <other params>
       Looks like digest/cram-md5, gssapi mechs are not installed (at least
    via
       rpm???)
       
       Perhaps installing these may help as well:
       cyrus-sasl-ldap-2.1.22-4
       cyrus-sasl-md5-2.1.22-4
       
       To be clear, all this will do is validate that ldap+sasl is working
    ok,
       so do any of the other samples for sasl work (im used to the src
    build
       where the test stuff is under 'sample').
       
       
       -----Original Message-----
       From: Shelley Waltz [mailto:]
       Sent: Monday, November 26, 2007 12:26 PM
       To: ; Chapman, Kyle
       Subject: RE: LDAP auth failure
       
       [root at roadrunner openldap]# rpm -qa|grep sasl
       cyrus-sasl-lib-2.1.22-4
       cyrus-sasl-2.1.22-4
       cyrus-sasl-devel-2.1.22-4
       cyrus-sasl-plain-2.1.22-4
       
       I mentioned that the md5 password for the rootdn does indeed work in
    my
       "luma" ldap browser/editor as well with ldapsearch non-anonymously.
       
       
       
       On Mon, 26 Nov 2007, Chapman, Kyle wrote:
       
          Is the digest-md5 or other sasl mechs installed (some distros did
    the
          mechs as sep rpms, don't recall what RH did)?
          
          Can you do any sasl binds with ldapsearch with the dn of:
          cn=waltz_shelley,dc=cabm.rutgers,dc=edu
        
       NOTICE: This E-mail may contain confidential information. If you are
    not
       the addressee or the intended recipient please do not read this
    E-mail
       and please immediately delete this e-mail message and any attachments
       from your workstation or network mail system. If you are the
    addressee
       or the intended recipient and you save or print a copy of this
    E-mail,
       please place it in an appropriate file, depending on whether
       confidential information is contained in the message.
       


  • Next message: Gary Mills: "How to synchronize Kerberos and SASL passwords?"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD