[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slurpd -d9 --- Invalid credentials
- To: Howard Chu <hyc@symas.com>, Aaron Richton <richton@nbcs.rutgers.edu>
- Subject: Re: slurpd -d9 --- Invalid credentials
- From: Steven Wong <slqwong@yahoo.com>
- Date: Tue, 8 Aug 2006 11:54:47 -0700 (PDT)
- Cc: openLDAP software <openldap-software@OpenLDAP.org>
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=epD1U533zyT0gmUtfiDlv2SlwZxeIDq8I4NHudnjlkl4+cwcHztzvkDFAgSmzcdB0tGbED02hB3/8xNNvMC2XuxKqae2Gihfhmb45kC3EOtLrl2b+O8W9oCtksspwEUiCiwXLgdiglZu58DBWp0OoUG5Op+wGpjEYsc2YYnCQQo= ;
Sorry, I've been busy working on another project....
But before working on the other project, I was able to replicate from master to slave LDAP servers with simple and the plain text passwd in the /etc/openldap/slapd.conf file.
Now that I have time to continue with LDAP, I was wondering if there are any Howto's for LDAP, SSL, with SASL, without Kerberos. I don't want to have the passwd in plain text in the configuration file.
I have the following in my /etc/openldap/slapd.conf file for the replica piece
replica host=server2.pro-unlimited.com:389
suffix="dc=pro-unlimited,dc=com"
binddn="uid=replicator,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com"
tls=yes
bindmethod=sasl
authcid=replicator
credentials={MD5}iNv5bh4HOx5hLd+CWDcfZw==
saslmech=digest-md5
yet, when I ran slurpd in debug mode, after the SSL passed, I get the message that says
"Error: LDAP SASL for <server2>.pro-unlimited.com:389 failed: Authentication method not supported"
I have even tried putting this on my master LDAP server and the slave
sasl-realm <server1>.pro-unlimited.com
sasl-regexp uid=(.*),cn=.*,cn=.*,cn=auth cn=$1,ou=people,dc=pro-unlimited,dc=com
Yet, I still get the same error message as above.
I've even created the user in the /etc/sasldb on the master and the slaves LDAP servers
[root@server1 openldap]# sasldblistusers
user: replicator realm: server1.pro-unlimited.com mech: PLAIN
user: replicator realm: server1.pro-unlimited.com mech: CRAM-MD5
user: replicator realm: server1.pro-unlimited.com mech: DIGEST-MD5
[root@server2 openldap]# sasldblistusers
user: replicator realm: server2.pro-unlimited.com mech: PLAIN
user: replicator realm: server2.pro-unlimited.com mech: CRAM-MD5
user: replicator realm: server2.pro-unlimited.com mech: DIGEST-MD5
[root@server3 openldap]# sasldblistusers2
replicator@server3: userPassword
Can someone point me in a direction, hints, or howto's?
Thanks,
Steven
----- Original Message ----
From: Howard Chu <hyc@symas.com>
To: Aaron Richton <richton@nbcs.rutgers.edu>
Cc: Steven Wong <slqwong@yahoo.com>; openLDAP software <openldap-software@OpenLDAP.org>
Sent: Tuesday, July 18, 2006 3:27:58 PM
Subject: Re: slurpd -d9 --- Invalid credentials
Aaron Richton wrote:
>> Just curious, anyway I can use encrypted passwd for the proxyuser
>> also? This passwd is currently in /etc/ldap.secret with perm 0600 in
>> clear text. I've read that this has to be on every system (ldap
>> server or client).
>
> Whenever you are using a simple bind mechanism, you will need to store
> the credentials in plaintext or the moral equivalent of plaintext.
> This applies for replication, proxyuser, Any Old User Off The Street,
> etc., so long as they're using simple bind.
Not just simple bind. Also for SASL/DIGEST-MD5, i.e., any mech that
ordinarily prompts the user for a password.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/