[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: "ldapsearch -I" doesn't give desired result .. working !

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Monday, January 08, 2001 8:43 PM
To: Jankok, Lucio
Cc: openldap-software@OpenLDAP.org
Subject: Re: "ldapsearch -I" doesn't give desired result

At 10:36 AM 1/8/01 +0100, Jankok, Lucio wrote:
>I have qmail-ldap working with cyrus-sasl but not completely, I would
>like to get it working completely.
>I have two questions; 
>        1) I would like to know how I can make "ldapsearch -I" to return
>            the supported sasl mechanism without having to explicitely
>            specify the mechanism.

: Whenever -Y is not specified (and SASL authenticate is used),
: the client will attempt to anonymously read the supportedSASLmechanims
: attribute from the root DSE.  This can fail for many reasons (such
: as ACLs or no supported mechanisms).

Yes !.. once I changed my ACL and gave anonymous read access on the database
I got "ldapsearch -I" working.

: The client will then select the "best" mechanism from the listed
: one it also supports.

Correct, I will get; "SASL/DIGEST-MD5 authentication started"

>        2) I would like to know how I can make "ldapsearch -I -Y mechanism"
>             authenticate from the sasldb database. 

:Well, the answer to this question is complex.  There are multiple
:mechanisms which are affected by numerous factors.

I got this working by including the following in the "/etc/openldap/slapd.conf"
	# sals's stuff"
	sasl-host my.full.hostname
	sasl-realm mymachinename
	sasl-secprops noplain

Kind Regards,

Lucio Jankok