[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SASL...



On Fri, 2004-10-22 at 14:40 -0700, Tobias Rice wrote:
> I can also authenticate
> via sasl just fine using testsasl -u user -p passwd, which produces OK

if you meant to write: testsaslauthd -u user -p password
(testsasl is not a binary in either openldap or sasl)

Then you're suffering from the same misconception that I have been.
saslauthd does nothing except auth mechs PLAIN and LOGIN (both
plaintext).

> "Success". (SASL talks to kerberos just fine)

That's not what that means.  It means that plaintext authentication via
saslauthd is working (probably checking sasldb for the password).
That's all.  It's not looking in your LDAP directory for the passwords
there or at your KDC.

Rather than address the rest of your post, let me suggest (before one of
the smarter folks here does so) that you thoroughly read through the
SASL docs (again if you already have), subscribe to and read my recent
post on the cyrus-sasl mailing list, and then reconsider what you're
doing.  SASL is very, VERY subtle.  I've been through the docs and
configured it some 5 times (maybe more) and I still get it wrong.  Read
the docs and make sure you understand every word, every phrase, etc.

If you're still having problems at that point, you'll probably want to
post your question to the cyrus-sasl list anyway.  This list is for
discussion of OpenLDAP software only.  Not LDAP in general, not Cyrus
SASL, not Kerberos, etc.

You won't get an understanding of SASL by fiddling with it for a few
hours.  Plan on spending much more time trying to understand it than
that.

-- 
Kevin
http://www.gnosys.us