[Date Prev][Date Next]
Re: Trying to enable SASL support for OpenLDAP 2.0.11...
Stephan Siano wrote:
> the -D parameter is for simple authentication, you should use "-U
> root" instead (if root is a valid user in your SASL realm).
Something happened when I was setting up my station for PAM through
LDAP. For some reason, the SASL just suddenly woke up. I wonder if
this had anything to do with what authconfig does when you turn on LDAP,
but I'd like to pinpoint the source of this problem. After all, this is
only a test box, and I don't want to end up getting the same problem
with the REAL boxes.
Anyway, I was getting this:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Unknown error
Until I used that -U switch, and then I started getting data. I have
another important question, though: How do I enable SASL support for PAM
through LDAP? According to the /etc/ldap.conf (different than
/etc/openldap/ldap.conf), there's binddn and PW directives and there's a
rootdn/pw directives, but I don't know how to translate this into SASL
mode. Is this even possible? Can I use mix-modes without fear of
password confusion between the SASL auth and the passwords within the
user entries in the LDAP database?
According to LDAPSearch, I don't have the required
"supportedSASLMechanisms" objects in my Root DN:
This is another pitfall: supportedSASLMechanisms is an operatiional
attribute. You have this (if SASL is working) but your ACLs must grant
anonymous read access to it.
# ldapsearch -D "cn=root,dc=missiondata,dc=com" -b "" -Wxs base -LLL
Enter LDAP Password:
But, from the line above, I'm using my root account. It should read
anything, right? Even when I use SASL mode to access it, it still
doesn't work. Of course, I'm still trying to figure out this LDAP
filter. I try "(objectclass=*)" and I get something, but "(*=*)"
doesn't get me anything, and "(*)" is a bad filter.
Brendan Byrd (firstname.lastname@example.org)
System Administrator @ Mission Data