[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can't authenticate with SASL

I'm using OpenLDAP v. 2.1.16 on a Redhat 8.0 server, compiled from
source.  I want to use SASL for the replicator and admin users, but
don't care about it for anyone else, so I'm using saslpasswd2 to
generate the user entries.

Regardless whether there is a user in the LDAP db as such, I get this
error with the correct password when authenticating:

% ldapsearch -Y DIGEST-MD5 -U replicator@foo -h foo 'uid=replicator'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: More results to return

Running the server with -d5, it looks like this:

[A lot of regex matching and so forth; this all seems to work fine]
SASL Canonicalize [conn=0]: authzid="replicator@foo"
SASL Authorize [conn=0]: authcid="replicator@foo"
SASL Authorize [conn=0]:  authorization allowed
send_ldap_sasl: err=0 len=40
send_ldap_response: msgid=2 tag=97 err=0
ber_flush: 56 bytes to sd 13
<== slap_sasl_bind: rc=0
do_bind: SASL/DIGEST-MD5 bind:
dn="uid=replicator,ou=people,dc=fooland,dc=com" ssf=128
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13

This definitely isn't the password as such; if I enter in the wrong
password the server gives a no-nonsense response clearly indicating a
wrong password problem.  I'm quite stumped what the "more results to
return" error means.  At first I thought possibly it was because there
were password entries both in the sasl password db and in LDAP, but the
most recent results are using an LDAP db with no entry for the
replicator user at all; the results are identical.

Anyone have a clue on this?  There was a similar problem reported a
while ago on the list when I searched, but there was no resolution.