[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with openldap 2.0.6 and SASL [follow-up]

At 12:33 PM 10/29/00 -0800, Rob Tanner wrote:
>Went to CVS and got most recent, cutting-edge, sasl.c and recompiled slapd.  This DID NOT resolve the problem.  Also, though I've tried a number of variations of arguments with ldapadd without success, the variation that seems the most correct to me is:
>ldapadd  -f cheshire-init.ldif -D "uid=rtanner@cheshire.onlinemac.com" 

Note that the bind name (-D) in (mostly) ignored when using SASL.
But that's not your problem.

>It still fails, as below, with the error "Insufficient Access" which means I successfully authenticated but the server doesn't think I'm authorized.

Which operation returned this result code?  In general, please post
the complete error message.

>  Also, one other thing I forgot to mention.  Immediately after ldapadd prompts me and I enter my password, it prints out "SASL SSF: 0".  Where is the ssf of 0 coming from?

In the default mode, certain SASL details are printed on the terminal.
This indicates that Security Strength Factor is zero.  That is, no
integrity and no confidentiality services are being provided.  The
fact that you got message implies that you were able to authentication.

You should check the server logs to see what authorization
identity was assigned and then establish appropriate ACLs
based upon this identity.

>I've tried seeting "security ssf=56" in slapd.conf, and that doesn't make any difference.

Setting ssf=56 requires use of integrity and confidentiality services
which use encryption with key lengths of 56-bits or greater.  You
should see "confidentiality required" errors when attempting any
read or update operation.

>-- Rob
>--On 10/28/00 06:01:18 PM -0700 Rob Tanner <rtanner@cheshire.onlinemac.com> wrote:
>>I installed openldap-2.0.6 with SASL support of redhat 6.2. It build
>>and test without a hitch.  In running configure, I included the
>>"--with-cyrus-sasl" and the "--enable-spasswd" parameters.  In
>>slapd.conf, I've included the following lines:
>>sasl-host cheshire.onlinemac.com
>>sasl-realm CHESHIRE
>>sasl-secprops noanonymous  minssf=56
>>rootdn "uid=rtanner@cheshire.onlinemac.com"
>>But when I try to use ldapadd, no combination of options that I tried
>>would work.  After I entered my password (mech=CRAM-MD5), ldapadd
>>would return with the error "Insufficient Access".
>>I know SASL is ok.  I installed and configured it on the same machine
>>several months ago and it gets used continuously for Cyrus IMAP and
>>AUTH SMTP.  The docs are all pretty sparse, so I wouldn't be
>>surprised if I'm just doing something wrong.
>>All suggestions appreciated.  Thanks.
>      _ _ _ _           _    _ _ _ _ _
>     /\_\_\_\_\        /\_\ /\_\_\_\_\_\
>    /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
>   /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
>  /\/_/_/_/_/ /\_\  /\/_/    /\/_/
> /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
> \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)
> Rob Tanner
> McMinnville, Oregon
> rtanner@cheshire.onlinemac.com