[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to enable SASL support for OpenLDAP 2.0.11...


On Wednesday,  8. August 2001 23:34, Brendan Byrd wrote:
> This is annoying.  I've been spending the past 8+ hours trying to get
> SASL to work with OpenLDAP.  Every time I do, I encounter the same
> error:
> # ldapadd -D "uid=root@sineswiper.missiondata.com" -f
> /root/missiondata.ldif
> ldap_sasl_interactive_bind_s: No such object

the -D parameter is for simple authentication, you should use "-U root" 
instead (if root is a valid user in your SASL realm).


> I can use simple mode just fine, but I don't want simple mode.  I'm
> trying to get everything setup for LDAP through SSL.  I have all of
> the libraries: Kerberos 5, SASL, DES, Crypt, Crypto, etc.  I've used
> the following configure line:
> # ldapadd -k
> ldapadd: not compiled with Kerberos support
> I'm not sure if the SASL switch on the configure overrides this or
> what, but I don't understand why it can't have support for both.  My
> ldap.conf is correct:

Kerberos 5 is not Kerberos in the senso of OpenLDAP. Using Kerberos 5 with 
LDAP works just fine, if you have the GSSAPI SASL mechanism installed (this 
means Kerberos 5 over SASL), however the -k parameter is only for Kerberos 4.

> BASE    dc=missiondata, dc=com
> URI     ldap://sineswiper.missiondata.net
> According to LDAPSearch, I don't have the required
> "supportedSASLMechanisms" objects in my Root DN:

This is another pitfall: supportedSASLMechanisms is an operatiional 
attribute. You have this (if SASL is working) but your ACLs must grant 
anonymous read access to it.

> # ldapsearch -D "cn=root,dc=missiondata,dc=com" -b "" -Wxs base -LLL
> Enter LDAP Password:
> dn:
> objectClass: top
> objectClass: OpenLDAProotDSE
> My /var/log/message doesn't say anything unusual.  I've already
> created a /etc/sasldb with saslpasswd.  My slapd.conf contains:
> ---- cut ----
> sasl-host sineswiper.missiondata.net
> sasl-secprops none
> database        ldbm
> suffix          "dc=missiondata,dc=com"
> #rootdn         "uid=root@sineswiper.missiondata.net"
> rootdn          "cn=root,dc=missiondata,dc=com"
> rootpw          {SSHA}---blah---
> directory       /var/openldap/ldbm
> index           objectClass     eq

rootdn and rootpw are for simple authentication only.

> TLSCertificateFile /var/ssl/ssl.crt/server.crt
> TLSCertificateKeyFile /var/ssl/ssl.key/server.key
> ---- end ----

You may need the SASLRealm and the SASLserver parameter. See the slapd.conf 
man page for details.

Stephan Siano
Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn