[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP authenticaton against PAM how-to



On Fri, Feb 09, 2007 at 01:15:47AM -0800, Howard Chu wrote:
> I wouldn't expect to find much documentation on this topic because in 
> general it's the wrong thing to do. What distributed authentication system 
> do you use that is supported by pam but is not supported directly by LDAP 
> or SASL?

Radius. I'm aware that 2.4 fills that gap, but I don't want to use alpha
software in production (In fact, I was not even able to build it)

> These steps are only needed if you're going to use plaintext passwords in 
> SASL Binds, and yet you only show the use of Simple Binds here.

Sure, that's just what I was looking for. I found no doc explaining how to
do it, that's why I post it there, with the hope it could help someone else
(or even myself in a few months).

I could not even find a place where it is said that userPassword should
be {SASL} followed by the login.

> >NB2: slapd logs in /var/log/slapd.conf, the error messages are usually
> >meaningless, especially for ACL and SASL troubles.
> The log messages are meaningful, you just don't understand them. Your 
> ignorance does not indicate a fault in the software.

I expected to be flammed for that one. I just tell you about my frustration
working with some OpenLDAP areas. You can choose to call user feedbacks
ignorance and ignore them, it's up to you.

Back on ACL logs: Point me to the document that explains how to parse that 
pack of nonsense, and I might consider them meaniningful. For now, my opinion 
is that the ACL log output is just useless for the average administrator. 
Where is the information such that what ACL matched, or for what value an 
ACL clause is evaluated?

-- 
Emmanuel Dreyfus
manu@netbsd.org