[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapadd won't add entry via SASL/DIGEST-MD5

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ldapadd won't add entry via SASL/DIGEST-MD5
From: "Gary C. New" <garycnew@yahoo.com>
Date: Mon, 2 Sep 2002 09:56:18 -0700 (PDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <5.1.0.14.0.20020829131308.03328be0@127.0.0.1>

I was able to get the sasl sample server and client
software working, but was not really sure how to then
test them against the ldap service (unless it was just
"-s ldap").

I decided to open up the verboseness of ldapadd and
believe I've discovered what the fundamental problem
may be.  It seems that ldapadd is trying to
authenticate against the server's FQDN as the realm,
which is not associated with any of the users in the
sasldb.  I tried specifying the authcid (-U) and
authzid (-X) (i.e., root@localhost), but could never
get ldapadd to supply the correct realm information. 
I am able to add ldap entries using simple
authentication, but still no sasl.

Any idea how I might be able to force ldapadd to use
the user specific realm information (i.e., localhost)?

Respectfully,

Gary

--- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> At 01:58 PM 2002-08-28, Gary C. New wrote:
> >I was recently able to build cyrus-sasl-2.1.7
> >(--with-ldap and --with-mysql) and openldap-2.1.4
> >(--with-cyrus-sasl) on a Linux box.
> >
> >I am now at the point where I am trying to use
> ldapadd
> >to add ldap entries via SASL/DIGEST-MD5 like so:
> >
> ># ldapadd -f test.ldif -D "cn=root,dc=test,dc=org"
> >SASL/DIGEST-MD5 authentication started
> >Please enter your password: 
> >ldap_sasl_interactive_bind_s: Internal
> (implementation
> >specific) error (80)
> >        additional info: SASL(-13): user not found:
> no secret
> >in database
> >
> >When using SASL/DIGEST-MD5 authentication what are
> the
> >typical steps necessary to get ldapadd to work?
> 
> The first step is to get the Cyrus SASL sample
> client/server working.  Have you done this?
> 
> >I've been monitoring the system logs and no errors
> are
> >reported.  Does the rootdn need to be added to the
> >sasldb2
> 
> No.  But you need to have the user/password in
> sasldb2 (if you are using sasldb2 and not some
> other credential store).
> 
> >(i.e., saslpasswd2 -c root -u test.org)?
> 
> IIRC, that's basically right.  But better to follow
> Cyrus SASL's sysadmin.html documentation on how to
> get their sample client / server working... then
> ldapclients & slapd(8) should work using same
> mechanism / credentials which worked for the same
> client / server.
> 
> >It is apparent that this is a user/passwd error,
> but
> >where do I initially add the SASL/DIGEST-MD5 rootdn
> >passwd and what would the ldapadd syntax be after
> >having created the rootdn account?
> 
> Once you have the sample client/server working and
> duplicated in ldap clients / server, you can check
> the logs to see what DN was associated with the
> authenticated user... and for your "root" user,
> set the rootdn to the DN associated that user.
> 
> The form of this DN is discussed in the Admin Guide.
> The Admin Guide also discusses optional DN mapping
> capabilities of slapd(8).
> 
> Kurt
> 

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

Follow-Ups:
- Re: ldapadd won't add entry via SASL/DIGEST-MD5
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: ldapadd won't add entry via SASL/DIGEST-MD5
  - From: "Howard Chu" <hyc@symas.com>

Prev by Date: passwd with pam_ldap and open ldap
Next by Date: AW: passwd with pam_ldap and open ldap
Index(es):
- Chronological
- Thread