[Date Prev][Date Next]
RE: SASL and slurpd
IT'S NOW WORKING. AFTER 92 HOURS OF WORK, IT'S WORKING CORRECTLY.
I will post a how-to to this mailing list as soon as I've tested the
configuration and finished the documentation.
From: MCGLADREY, KAYNE A [mailto:KAYMCG@SAFECO.com]
Sent: Thursday, September 27, 2001 10:36 AM
To: Openldap-Software (E-mail)
Subject: SASL and slurpd
I am now 15 hours into the saga of installing OpenLDAP 2.0.11 on FreeBSD
4.3. Thanks to everyone who assisted in compiling the software - two typos
were to blame. The successful sequence was:
1.Type env CPPFLAGS="-I/usr/local/include/sasl" LDFLAGS="-L/usr/local/lib
-L/usr/local/lib/sasl" ./configure --enable-login --disable-krb4
--disable-gssapi --with-des=/usr/include/openssl/ --without-kerberos
--with-cyrus-sasl-libraries=/usr/local/lib/sasl/ and press Enter.
2.Type make depend and press Enter.
3.Type make and press Enter.
4.Type make install and press Enter.
However, I am now faced with the same issue I faced for 75 hours on Linux.
Presuming that this is the correct command to include SASL support, I would
like to use SASL authentication to secure the user name & password during
replication. Data can travel over the wire in plain text. I would IDEALLY
like to use MD5 to handle the SASL encryption. However, as this email
states, none of the available methods (PLAIN, LOGIN, MD5) are working.
I have two servers, one running Red Hat 7.1 and one running FreeBSD 4.3.
Typing ldapsearch -d 2 on either server indicates that PLAIN and LOGIN are
To begin replication, I type the following command on the server:
/usr/local/libexec/slurpd -d 255
slurpd reads the configuration file without error and starts looking at the
replication log. Here is the output that concerns me:
Initializing session to jarrett.safeco.com:389
bind to jarrett.safeco.com as REPL.LDAP.SAFECO.COM via LOGIN (SASL)
ldap_interactive_sasl_bind_s: user selected: LOGIN
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 8 tm: -1 async: 0
Error: LDAP SASL for jarrett.safeco.com:389 failed: Unknown authentication
ber_flush: 7 bytes to sd 8
0000: 30 05 02 01 01 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 01 42 00 0....B.
ldap_free_connection: actually freed
> > > At this point, I press CTRL-C after waiting for five minutes with no
apparent processing occurring.
Retrying operation for DN uid=roman_g,ou=Distributors,dc=safeco,dc=com on
end replication thread for jarrett.safeco.com:389
Based on this output, it appears that the wrong user name is being passed.
Here is the relevant section of slapd.conf from the server:
## REPLICATION OPTIONS
> > > NOTE: I've also tried "PLAIN" and "MD5". Neither works. < < <
And from the backup server:
And from the command sasldblistusers (also on the backup server):
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: PLAIN
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: CRAM-MD5
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: DIGEST-MD5
Finally, here's the /usr/local/lib/sasl/slapd.conf (on the backup):
Thank you for reading to the bottom of this rather comprehensive email. If
you have a suggestion on how to make SASL work with OpenLDAP, please contact
I will state again, for the record, that the following "suggestions" aren't
* "Check the archives for hints!"
* "Read the manpage for slapd.conf"
* "Check to see if the sample-client and sample-server with SASL are
* "http://www.bayour.com/LDAPv3-HOWTO.html" - this last one introduces WAY
too many variables, i.e. kerberos. It's a great how-to, but it doesn't help
if you're trying to get _JUST_ SASL working.
Thanks in advance to those who reply,