RE: LDAP auth failure

From: Chapman, Kyle (no email)
Date: Tue Nov 27 2007 - 11:01:05 EST

  • Next message: Gary Mills: "How to synchronize Kerberos and SASL passwords?"

    Example: /usr/local/bin/ldapsearch -Y digest-md5 -U herm14266x -s base
    -b ""

    If things are set for digest-md5 use for the user in the directory (see
    the opneldap doc), you should be able to get a good sasl bind (if sasl
    is working ok). The ldapsearch you showed was a simple bind as opposed
    to a sasl bind which might use gssapi (AD, krb5), digest/cram-md5,

    Note that ldap+sasl validation is kind of jumping sasl checks on its
    own. If it works, then you MIGHT be able to think all of sasl is ok.
    Others can say with more certainty if that is the case. Check this next
    statement with openldap doc, as I recall digest/cram-md5 required the
    password (shared secret if you prefer) be stored in cleartext in the
    directory. Not sure if that is an issue in this case. The slapd.conf
    passwd is the rootdn passwd, which is not required, you can use sasl
    mechs for this instead (see the openldap doc, many many options here).

    -----Original Message-----
    From: Shelley Waltz [mailto:]
    Sent: Monday, November 26, 2007 1:31 PM
    To: Chapman, Kyle
    Subject: RE: LDAP auth failure


    [root at roadrunner src]# rpm --install cyrus-sasl-ldap-2.1.22-4.i386.rpm
    [root at roadrunner src]# rpm --install cyrus-sasl-md5-2.1.22-4.i386.rpm

    and stop/start ldap and saslauthd
    results are the same.

    regarding doing sasl binds with ldapsearch, I am somewhat confused.
    the rootdn == password in the slapd.conf
    file is in {MD5}, however, the userPassword for each uid are in {CRYPT}
    in my LDAP database.

    What ldapsearch?

    On Mon, 26 Nov 2007, Chapman, Kyle wrote:

       Your first ldapsearch example was with a non sasl bind (-x). Try
       ldapsearch -Y <sasl mech> <other params>
       Looks like digest/cram-md5, gssapi mechs are not installed (at least
       Perhaps installing these may help as well:
       To be clear, all this will do is validate that ldap+sasl is working
       so do any of the other samples for sasl work (im used to the src
       where the test stuff is under 'sample').
       -----Original Message-----
       From: Shelley Waltz [mailto:]
       Sent: Monday, November 26, 2007 12:26 PM
       To: ; Chapman, Kyle
       Subject: RE: LDAP auth failure
       [root at roadrunner openldap]# rpm -qa|grep sasl
       I mentioned that the md5 password for the rootdn does indeed work in
       "luma" ldap browser/editor as well with ldapsearch non-anonymously.
       On Mon, 26 Nov 2007, Chapman, Kyle wrote:
          Is the digest-md5 or other sasl mechs installed (some distros did
          mechs as sep rpms, don't recall what RH did)?
          Can you do any sasl binds with ldapsearch with the dn of:
       NOTICE: This E-mail may contain confidential information. If you are
       the addressee or the intended recipient please do not read this
       and please immediately delete this e-mail message and any attachments
       from your workstation or network mail system. If you are the
       or the intended recipient and you save or print a copy of this
       please place it in an appropriate file, depending on whether
       confidential information is contained in the message.

  • Next message: Gary Mills: "How to synchronize Kerberos and SASL passwords?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD