[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication

To: Dan White <dwhite@olp.net>
Subject: Re: OpenLDAP session authentication
From: Erik Lotspeich <erik@lotspeich.org>
Date: Tue, 05 Oct 2010 15:04:40 -0500
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lotspeich.org; s=200804; t=1286309086; bh=xI1GPgg9YtlvWBCNQwF0tl5kobYmxZw/rvSYfzcaBUY=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; z=Message-ID:=20<4CAB84D8.3030002@lotspeich.org>|Date:=20Tue,=2005= 20Oct=202010=2015:04:40=20-0500|From:=20Erik=20Lotspeich=20<erik@l otspeich.org>|User-Agent:=20Thunderbird=202.0.0.24=20(X11/20100302 )|MIME-Version:=201.0|To:=20Dan=20White=20<dwhite@olp.net>|CC:=20o penldap-technical@openldap.org|Subject:=20Re:=20OpenLDAP=20session =20authentication|References:=20<4C9B8E0E.8020708@lotspeich.org>=0 9<20100923221325.GB2788@dan.olp.net>=09<4CA35909.3010702@lotspeich .org>=20<20101003033809.GA4634@dan.olp.net>|In-Reply-To:=20<201010 03033809.GA4634@dan.olp.net>|X-Enigmail-Version:=200.96.0|Content- Type:=20text/plain=3B=20charset=3Diso-8859-1|Content-Transfer-Enco ding:=207bit; b=e2/w/7BkNxVtmDwc/S8lRKIQfhDZYi4toCw6OhqbpT7KmaQfi8xVRWgarxtgb5iyg x9hfBcVyIvN4A5eaYBa6nsaFb6qRYn4+sa83vdSTSKdUAlfs3zaw4BuHa+5XNJvRba SFGtMFc1AO72zeqn9QBmLeExY6KHCn/zuQGapyko=
In-reply-to: <20101003033809.GA4634@dan.olp.net>
References: <4C9B8E0E.8020708@lotspeich.org> <20100923221325.GB2788@dan.olp.net> <4CA35909.3010702@lotspeich.org> <20101003033809.GA4634@dan.olp.net>
User-agent: Thunderbird 2.0.0.24 (X11/20100302)

Hi Dan,

Thanks so much for your help.  I'm getting closer.

The ldapwhoami seems to work now.

erik@starfish:~/ldif$ ldapwhoami -U erik -H ldaps://localhost/
SASL/PLAIN authentication started
Please enter your password:
SASL username: erik
SASL SSF: 0
dn:uid=erik,cn=plain,cn=auth
erik@starfish:~/ldif$

I can also run an ldapsearch to list the contents of my database:

erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b
'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/
-W -Y plain
Enter LDAP Password:
SASL/PLAIN authentication started
SASL username: erik
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <ou=people, dc=lotspeich,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# people, lotspeich.org
dn: ou=people,dc=lotspeich,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people
.
. *** DATA OMITTED! ***
.
# search result
search: 2
result: 0 Success

# numResponses: 136
# numEntries: 135

I have two questions/concerns:

1. If I leave the "-Y plain" option off of the argument list to
ldapsearch, I get "Invalid credentials":

erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b
'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
erik@starfish:~/ldif$

I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried
adding one for ldapsearch:

root@starfish:/usr/lib/sasl2# cat ldapsearch.conf
pwcheck_method: saslauthd
mech_list: plain

This didn't seem to make a difference in allowing me to authenticate
without the "-Y" option.

2. I would like to use authenticated LDAP in Thunderbird.  I set
uid=erik,cn=plain,cn=auth as my Bind DN.  It asked for my password, but
always returned 'authentication failed'.

I don't know if #1 or #2 are related.  I know I must be missing
something.  From what I understand (which isn't much), I'm not using
simple bind, so I don't need the mappings in my configuration file that
you mentioned previously.

Regards,

Erik

Dan White wrote:
> On 29/09/10 10:19 -0500, Erik Lotspeich wrote:
>> Hi Dan,
>>
>> I hope that I don't mind if I ask a follow-up question:
>>
>> root@starfish:/usr/local/etc/openldap# testsaslauthd -u erik -p XXX -s
>> slapd
>> 0: OK "Success."
>>
>> That works, but when I run ldapwhami, it doesn't:
>>
>> root@starfish:/usr/local/etc/openldap# ldapwhoami -Y login -U erik -H
>> ldap://localhost
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>        additional info: SASL(-4): no mechanism available: No worthy
>> mechs found
>>
>> I did a search on the internet, and I ran this command:
>>
>> root@starfish:/usr/local/etc/openldap# ldapsearch -x -ZZ -s base -b ""
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope baseObject
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> #
>> dn:
>> objectClass: top
>> objectClass: OpenLDAProotDSE
>>
>> # search result
>> search: 3
>> result: 0 Success
>>
>> In other examples I've seen, mechanisms such as PLAIN or LOGIN or listed
>> here.
> 
> Make sure you have the appropriate sasl shared libraries installed on both
> your server and your client (which appears to be the same according to your
> examples from above).  Use plugingview/saslpluginviewer to see which
> server/client mechanisms you do have installed.
> 
> For instance, on a Debian system you'd need to have the libsasl2-modules
> package.
> 
> If you do have those mechanisms installed but are still not seeing them in
> the '-s base -b ""' search, make sure you've added 'sasl-secprops none' to
> your openldap slapd.conf.
>

Follow-Ups:
- Re: OpenLDAP session authentication
  - From: Dan White <dwhite@olp.net>
- Re: OpenLDAP session authentication
  - From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>

References:
- Re: OpenLDAP session authentication
  - From: Dan White <dwhite@olp.net>

Prev by Date: Checking compile options
Next by Date: Re: Checking compile options
Index(es):
- Chronological
- Thread