[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL via ldapi



I just upgraded from a June 2005 2.3 CVS snapshot to 2.3.12, and I 
can't seem to connect via ldapi/EXTERNAL anymore:

   # ldapsearch -H ldapi:/// -Y EXTERNAL                                       
     SASL/EXTERNAL authentication started
     ldap_sasl_interactive_bind_s: Authentication method not supported (7)
        additional info: SASL(-4): no mechanism available:

slapd with -d 256 is reporting this:

    conn=8 fd=18 ACCEPT from PATH=/usr/local/var/run/ldapi (PATH=/usr/local/var/run/ldapi)
    conn=8 op=0 BIND dn="" method=163
    conn=8 op=0 RESULT tag=97 err=7 text=SASL(-4): no mechanism available: 
    conn=8 fd=18 closed (connection lost)

Google's not giving me any love -- does anyone know what's going on?

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

P.S.:

Here's my configure line:

    ./configure \
        --enable-aci \
        --prefix=/usr/local \
        --enable-shared \
        --enable-modules \
        --enable-local \
        --with-cyrus-sasl \
        --disable-syslog \
        --enable-meta \
        --enable-monitor \
        --enable-ldap \
        --enable-spasswd \
        --enable-overlays \
        --enable-slapi \
        --enable-accesslog \
        --enable-lastmod \
        --enable-refint \
        --enable-syncprov \
        --enable-proxycache \
        --enable-translucent \
        --enable-unique \
        --enable-valsort

Here's slapd.conf:

#################### GLOBAL ##################

## schema files (core.schema is required by default)
include                 /usr/local/etc/openldap/schema/core.schema
include                 /usr/local/etc/openldap/schema/cosine.schema
include                 /usr/local/etc/openldap/schema/inetorgperson.schema
include                 /usr/local/etc/openldap/schema/misc.schema
include                 /usr/local/etc/openldap/schema/nis.schema
include                 /usr/local/etc/openldap/schema/samba.schema
include                 /usr/local/etc/openldap/schema/krb5-kdc.schema
include                 /usr/local/etc/openldap/schema/openxchange.schema
include                 /usr/local/etc/openldap/schema/host-extended.schema

allow 		        bind_v2
allow 		        bind_anon_cred
allow 		        bind_anon_dn
allow 		        update_anon

pidfile 	        /var/run/slapd.pid

modulepath	        /usr/local/libexec/openldap
#moduleload	        smbk5pwd.la
threads		        8

# SASL configuration
sasl-host   	        server.cise.ufl.edu
sasl-realm  	        CISE.UFL.EDU
sasl-secprops           noplain
#password-hash          {SSHA}

# SSL

TLSCACertificateFile    /usr/local/lib/ssl/certs/cise-cacert.pem
TLSCertificateKeyFile   /usr/local/lib/ssl/certs/glow.cise.ufl.edu-key.pem
TLSCertificateFile      /usr/local/lib/ssl/certs/glow.cise.ufl.edu-cert.pem

#
# Mappings
#

authz-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
        "cn=ldapadmin,dc=cise,dc=ufl,dc=edu"

authz-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
        "krb5PrincipalName=kadmin/admin@CISE.UFL.EDU"

authz-regexp
    "uid=(.+),cn=plain,cn=auth"
    "uid=$1,ou=Users,dc=cise,dc=ufl,dc=edu"

authz-regexp
    "uid=(.+),cn=gssapi,cn=auth"
    "uid=$1,ou=Users,dc=cise,dc=ufl,dc=edu"

# Allow read access of root DSE to ALL
access to dn=""
  by * read
     
access to dn.base=""
  by * read

access to dn.regex="(.*,)?dc=cise,dc=ufl,dc=edu"
    attrs="sambaLMPassword,sambaNTPassword,sambaPasswordHistory,krb5Key,krb5EncryptionType,krb5KeyVersionNumber,krb5PasswordEnd"
        by dn="cn=ldapadmin,dc=cise,dc=ufl,dc=edu" write
	by anonymous auth

access to dn.regex="(.*,)?dc=cise,dc=ufl,dc=edu" attrs="userPassword"
        by dn="cn=ldapadmin,dc=cise,dc=ufl,dc=edu"     write
	by anonymous auth
	by self write
	by * none


access  to dn.regex="uid=([^,]+),ou=Users,dc=cise,dc=ufl,dc=edu" attrs=children
        by dn.exact,expand="uid=$1,ou=users,dc=cise,dc=ufl,dc=edu"  	write
        by dn.exact,expand="uid=$1,ou=Users,dc=cise,dc=ufl,dc=edu"  	write
        by dn.exact,expand="krb5PrincipalName=$1@CISE.UFL.EDU"  	write
        by *                                    	read

access  to dn.regex="ou=userabook,uid=([^,]+),ou=Users,dc=cise,dc=ufl,dc=edu" 
        by dn.exact,expand="uid=$1,ou=users,dc=cise,dc=ufl,dc=edu"  	write
        by dn.exact,expand="uid=$1,ou=Users,dc=cise,dc=ufl,dc=edu"  	write
        by dn.exact,expand="krb5PrincipalName=$1@CISE.UFL.EDU"  	write
        by *                                    	read

access  to dn.regex="ou=addr,uid=([^,]+),ou=Users,dc=cise,dc=ufl,dc=edu" 
        by dn.exact,expand="uid=$1,ou=users,dc=cise,dc=ufl,dc=edu"  	write
        by dn.exact,expand="uid=$1,ou=Users,dc=cise,dc=ufl,dc=edu"  	write
        by dn.exact,expand="krb5PrincipalName=$1@CISE.UFL.EDU"  	write
        by *                                    	read

access to *
        by dn="cn=ldapadmin,dc=cise,dc=ufl,dc=edu" read
        by dn="cn=ldapadmin,dc=cise,dc=ufl,dc=edu" write
	by *					   read

access to attrs=supportedSASLMechanisms,subschemaSubentry
  by anonymous read
  by * read

#################### END GLOBAL ##################

#################### DATABASE   ##################

database                bdb
suffix                  dc=cise,dc=ufl,dc=edu
rootdn                  cn=ldapadmin,dc=cise,dc=ufl,dc=edu
directory	        /var/ldap/db
cachesize	        100000
sizelimit	        unlimited
idlcachesize	        300000
checkpoint	        1024 5
lastmod 	        on
rootpw                  {SSHA}.......
#overlay		        smbk5pwd

# Indices to maintain

## required by OpenLDAP
index                   objectClass             eq
index                   cn                      pres,sub,eq,approx
index                   sn                      pres,sub,eq,approx

## required to support pdb_getsampwnam

index                   uid                     pres,sub,eq,approx

## required to support pdb_getsambapwrid()
index                   displayName             pres,sub,eq


## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well

index                   uidNumber               eq
index                   gidNumber               eq
index                   memberUid               eq
index                   uniqueMember            eq
index                   sambaSID              	eq
index                   sambaPrimaryGroupSID  	eq
index                   sambaDomainName       	eq
index                   default               	sub
index                   loginShell           	pres,sub,eq
index                   homeDirectory        	pres,sub,eq
index                   nisNetgroupTriple    	pres,sub,eq
index 	                memberNisNetgroup	pres,eq,sub
index	                krb5PrincipalName	pres,eq