[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to enable SASL support for OpenLDAP 2.0.11...



Stephan Siano wrote:
> the -D parameter is for simple authentication, you should use "-U
> root" instead (if root is a valid user in your SASL realm).

Something happened when I was setting up my station for PAM through LDAP. For some reason, the SASL just suddenly woke up. I wonder if this had anything to do with what authconfig does when you turn on LDAP, but I'd like to pinpoint the source of this problem. After all, this is only a test box, and I don't want to end up getting the same problem with the REAL boxes.

Anyway, I was getting this:

# ldapsearch
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Unknown error

Until I used that -U switch, and then I started getting data. I have another important question, though: How do I enable SASL support for PAM through LDAP? According to the /etc/ldap.conf (different than /etc/openldap/ldap.conf), there's binddn and PW directives and there's a rootdn/pw directives, but I don't know how to translate this into SASL mode. Is this even possible? Can I use mix-modes without fear of password confusion between the SASL auth and the passwords within the user entries in the LDAP database?

According to LDAPSearch, I don't have the required
"supportedSASLMechanisms" objects in my Root DN:


This is another pitfall: supportedSASLMechanisms is an operatiional attribute. You have this (if SASL is working) but your ACLs must grant anonymous read access to it.

>

# ldapsearch -D "cn=root,dc=missiondata,dc=com" -b "" -Wxs base -LLL
Enter LDAP Password:
dn:
objectClass: top
objectClass: OpenLDAProotDSE


But, from the line above, I'm using my root account. It should read anything, right? Even when I use SASL mode to access it, it still doesn't work. Of course, I'm still trying to figure out this LDAP filter. I try "(objectclass=*)" and I get something, but "(*=*)" doesn't get me anything, and "(*)" is a bad filter.


-- Brendan Byrd (brendanb@missiondata.com) System Administrator @ Mission Data http://www.missiondata.com/