[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open ldap with SASL & GSSAPI

To: Maxwell Bottiger <sleepylight@jive-turkey.net>
Subject: Re: open ldap with SASL & GSSAPI
From: Howard Chu <hyc@symas.com>
Date: Thu, 09 Nov 2006 10:17:36 -0800
Cc: openldap-software@openldap.org
In-reply-to: <1163047865.2686.49.camel@minitop.jive-turkey.net>
References: <1163016506.2686.16.camel@minitop.jive-turkey.net> <45529237.2060109@symas.com> <1163047865.2686.49.camel@minitop.jive-turkey.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061108 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Maxwell Bottiger wrote:

On Wed, 2006-11-08 at 18:28 -0800, Howard Chu wrote:
I figure this is one of three possible problems.
1 - saslauthd isn't working right
SASL-enabled servers don't talk to saslauthd to perform GSSAPI authentication, so that is out of the equation.
That's very interesting.  If openldap and other sasl enabled services
don't need saslauthd, what does use it?  Just curious.  Maybe it's
something I can turn off.

I generally don't build saslauthd; I find it to be more of a liability than anything else. It only supports plaintext password authentication. The couple things that it can do that nothing else does, is authenticate a plaintext password against PAM, IMAP, and some other external mechanisms.

The only reason OpenLDAP supports SASL is to provide strong authentication mechanisms. Going to the trouble of setting up SASL, and then only using it with plaintext, just doesn't make any sense.

I have some more information from playing around this afternoon.  The
first thing I found is that ldap authentication is still working for my
Fedora 5 computers.  The ldap queries for users are failing only for the
Fedora 6 machine.  Since the setups are identical except for releases, I
submitted a bug report to redhat's bugzilla.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214679

There are two logs attached to the bug report which detail this problem.
They are both kind of lengthy, so I won't list them here.

That having been said, I'm really really leaning toward me not setting
up these queries correctly.  ldapsearch is still failing regardless of
whether or not logins are working, and they are failing with the same
error messages.

Thanks for your quick response.

First you should follow Kurt's advice and get the SASL sample client and server working, before leaping to any other conclusions.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- open ldap with SASL & GSSAPI
  - From: Maxwell Bottiger <sleepylight@jive-turkey.net>
- Re: open ldap with SASL & GSSAPI
  - From: Howard Chu <hyc@symas.com>
- Re: open ldap with SASL & GSSAPI
  - From: Maxwell Bottiger <sleepylight@jive-turkey.net>

Prev by Date: Re: open ldap with SASL & GSSAPI
Next by Date: TCP pakages flow - LDAP or LDAPS replica slurpd
Index(es):
- Chronological
- Thread