[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapadd won't add entry via SASL/DIGEST-MD5

At 09:56 AM 2002-09-02, Gary C. New wrote:
>I was able to get the sasl sample server and client
>software working, but was not really sure how to then
>test them against the ldap service (unless it was just
>"-s ldap").
>I decided to open up the verboseness of ldapadd and
>believe I've discovered what the fundamental problem
>may be.  It seems that ldapadd is trying to
>authenticate against the server's FQDN as the realm,
>which is not associated with any of the users in the
>sasldb.  I tried specifying the authcid (-U) and
>authzid (-X) (i.e., root@localhost), but could never
>get ldapadd to supply the correct realm information. 
>I am able to add ldap entries using simple
>authentication, but still no sasl.
>Any idea how I might be able to force ldapadd to use
>the user specific realm information (i.e., localhost)?

-R localhost

>--- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>> At 01:58 PM 2002-08-28, Gary C. New wrote:
>> >I was recently able to build cyrus-sasl-2.1.7
>> >(--with-ldap and --with-mysql) and openldap-2.1.4
>> >(--with-cyrus-sasl) on a Linux box.
>> >
>> >I am now at the point where I am trying to use
>> ldapadd
>> >to add ldap entries via SASL/DIGEST-MD5 like so:
>> >
>> ># ldapadd -f test.ldif -D "cn=root,dc=test,dc=org"
>> >SASL/DIGEST-MD5 authentication started
>> >Please enter your password: 
>> >ldap_sasl_interactive_bind_s: Internal
>> (implementation
>> >specific) error (80)
>> >        additional info: SASL(-13): user not found:
>> no secret
>> >in database
>> >
>> >When using SASL/DIGEST-MD5 authentication what are
>> the
>> >typical steps necessary to get ldapadd to work?
>> The first step is to get the Cyrus SASL sample
>> client/server working.  Have you done this?
>> >I've been monitoring the system logs and no errors
>> are
>> >reported.  Does the rootdn need to be added to the
>> >sasldb2
>> No.  But you need to have the user/password in
>> sasldb2 (if you are using sasldb2 and not some
>> other credential store).
>> >(i.e., saslpasswd2 -c root -u test.org)?
>> IIRC, that's basically right.  But better to follow
>> Cyrus SASL's sysadmin.html documentation on how to
>> get their sample client / server working... then
>> ldapclients & slapd(8) should work using same
>> mechanism / credentials which worked for the same
>> client / server.
>> >It is apparent that this is a user/passwd error,
>> but
>> >where do I initially add the SASL/DIGEST-MD5 rootdn
>> >passwd and what would the ldapadd syntax be after
>> >having created the rootdn account?
>> Once you have the sample client/server working and
>> duplicated in ldap clients / server, you can check
>> the logs to see what DN was associated with the
>> authenticated user... and for your "root" user,
>> set the rootdn to the DN associated that user.
>> The form of this DN is discussed in the Admin Guide.
>> The Admin Guide also discusses optional DN mapping
>> capabilities of slapd(8).
>> Kurt
>Do You Yahoo!?
>Yahoo! Finance - Get real-time stock quotes