[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Why slapd can't use sasldb?



On Wed, Jan 29, 2003 at 12:19:17PM +0800, Calvin Liu wrote:

> Seems something wrong with my slapd instance. (Maybe the setup process
> wasn't completed.) It always report,
> /SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such
> file or directory/
> Then I touch a file /etc/sasldb2 but of cause it didn't work.

I note that the ldapadd command you use is not using the right set of
flags for SASL bind. If you want to use SASL you need to specify
'-U <username>' rather than '-D <binddn>'. If you do not want SASL
then you need '-x'.

Assuming you want SASL...

This seems rather important:

> additional info: SASL(-13): user not found: no secret in database

If you want to use SASL bind then you need some SASL secrets for the
user concerned. SLAPD cannot update the SASL database - it must be
done by other means.

Try this as root:

saslpasswd2 -c <username>

where <username> is the SASL username that you want to create. There
is no connection with Unix usernames.

Then make sure that /etc/sasldb2 is non-zero and is readable by the
user that slapd runs as. It should not be globally readable, as SASL
secrets are effectively stored in clear.

With 2.1.x versions it is possible to store SASL secrets in the
directory itself. See section 10.2 of the manual for details.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------