[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: newbie question. SASL auth.



At 02:15 AM 2002-08-27, Ilya Bassine wrote:
>could you please tell me what did I wrong?

What have you working so far?
Have you gotten the Cyrus SASL sample client/server working?

>bash-2.05a$ ldapadd -X uid=root,cn=myorg.ru,cn=auth,cn=digest-md5  -W -f  \ 
>~ilya/ldap_test/entry.test

Note that the -X is for SASL proxy authorization.  Have
you gotten SASL working without proxy authorization?

>Enter LDAP Password:
>SASL/OTP authentication started
>ldap_sasl_interactive_bind_s: Insufficient access (50)
>additional info: SASL(-14): authorization failure: 
>Inappropriate authentication
>bash-2.05a$

Note the use of OTP not DIGEST-MD5.  You might want to explicit
specify the desired mechanism before relying on auto-selection.

The error means that the proxy authorization policy disallows
the authenticated user from assuming the asserted proxy
authorization identity.

You might try enabling some server debugging...  that will
tell what's going on, what identities are being asserted,
what's getting mapped to what, etc.

Kurt