Re: Yet another "ldap_sasl_interactive_bind_s: Local error" unresolved problem !

["Renato A. Q. Salles" <linuxbr@onda.com.br>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 5 Sep 2002 wagner.bila@embraer.com.br wrote:

>
>   Folks,
>
>   I've been trying, these last 2 ou 3 days, to find an answer to the
> problem i'm facing when i try to authenticate my application to a remote
> LDAP server. I've looked many messages posted to this list but none gave me
> the answer and helped me to solve it, and that's why i'm posting this
> message ... My application (which is in fact a web page written in PHP
> script) needs to access a remote LDAP server to authenticate an user (in
> fact, what really matters here is that i need to query its database). Well,
> the PHP engine relies on the UMIC´s LDAP implementation (version 3.3),
> which has the default authentication method set to the SASL mechanism. This
> mechanism seems to be not working properly 'cause when i try to run a
> simple query like this one :
>
>       ldapsearch -u -h "my_ldap_server" -D "cn=Test" -w "password" "cn=a*"
>
>   i receive the following error :
>
>       ldap_sasl_interactive_bind_s: Local error
>
>   There are many messages posted talking about this error and saying that
> the probable reason for this is that Kerberos server is not running or
> something like that (which involves the TGT ticket exchange at binding
> time). For me, this seems to be only reasonable if my problem was at the
> server side, which is not. I need to configure just a client to access a
> remote server, i don´t want to use Kerberos or any other back-end service !
>   The interesting matter is that if i run the same query with the -x option
> (requesting for a simple authentication), everything goes well and my query
> is done successfully ! This is the successfull query:
>
>       ldapsearch -x -u -h "my_ldap_server" -D "cn=Test" -w "password"
> "cn=a*"
>
>   Is there any way to always disable the SASL authentication method to the
> OpenLDAP tools and library ? If not, what could be possibly wrong ?
At runtime, with the '-x' flag. It's supposed be made for this.

>   I tried the same query on a Novell LDAP server and a Lotus Notes LDAP
> server, giving me the same answer. Both of them gave me the same answer,
> having the same problem. When i consult both of them with the following
> query:
>
>       ldapsearch -h my_ldap_server -x -b "" -s base -LLL
> supportedSASLMechanisms
>
>   i receive:
>
>       dn:
>         supportedsaslmechanisms: EXTERNAL
>

The '-x' flag sets to use the simple authentication, the same as 'do not
use SASL'.

- -Z[Z]: With this option, use 'START-TLS'. With only one 'Z', the client
will try START-TLS if this option is available in the server, if not, it
will be tryed a non-crypto connection. With the second "-Z", the use of
START-TLS becames mandatory, and the connection will be closed if this
option isn't available in the server.(1)

I've tryed out the same query in my ldap-server (v. 2.0.25)
the response was:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

Is it a 'php concern'?




(1)docsource:doc-servidor - Linux Conectiva 8.0


- ---

Fui!

====================<<<<<< * >>>>>>>====================
===========  Renato Q. Salles UIN 143517540  ===========
===========  Linux Registered User nº 217696 ===========
====================<<<<<< * >>>>>>>====================


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9d/wZ7m5526AiZG0RAlifAJ40CY1mwBdLqGr7EEeXDcqkkicqXgCfc9Yz
GsEagljGtPjAeWC0/FD1qH8=
=JIdj
-----END PGP SIGNATURE-----