[Date Prev][Date Next] [Chronological] [Thread] [Top]

RES: Newbie question on client Auth and SSL


Maybe I expressed myself in a wrong way. With "binding" I mean "user".
So, what I'm trying is to ldapsearch from a remote host (i.e. client) and to
authenticate squid (using pam_auth). The commands on the remote host were:

# pam_auth -n squid_ldap   ----- In this case, the user were "Anonymous" (as
far as I can tell)

# ldapsearch -Uadriela -b "dc=calu,dc=com,dc=br" "(uid=adriela)"
--- Now,       this      (adriela) is the user. I'm trying to search it own

That's what I meant with "binding". Since I'm a real newbie, correct me if
my binding concept is wrong, please. 

Anyway, both give error, when I expected than to be ok.

By ACL I assume that you're talking about "Access Control Policy" section
from /usr/local/etc/openldap/slapd.conf . Am I right? If so, my ACL is:

 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
        by self write
        by users read
        by anonymous auth

Just as the "example" in that file. Even though, I got the same results as
without it.

[root@andromeda root]# ldapsearch -Uadriela -b "dc=calu,dc=com,dc=br"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server
[root@andromeda root]#
[root@andromeda root]# pam_auth -n squid_ldap
adriela 123456

[root@andromeda root]#

SASL is always used when compiled with, or it may be switched on/off? I
mean, if SASL is the problem (I guess) without it I had a chance to sucess,
or that doesn't makes sense?


-----Mensagem original-----
De: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Enviada em: sexta-feira, 29 de outubro de 2004 16:45
Para: Bruno Di Rei Araujo; 'openldap-software@openldap.org'
Assunto: Re: Newbie question on client Auth and SSL

--On Friday, October 29, 2004 3:00 PM -0200 Bruno Di Rei Araujo 
<BrunoA@calu.com.br> wrote:

> When I compile OpenLDAP with OpenSSL libraries present, does it enforces
> SSL utilization from then on?

No.  You can enforce the use of SSL via setting "ssf" factors in your ACLs 

> I'm experiencing the following: I've setup my server and have it working
> fine. I can search (anonymous binding) and add entries using Manager
> credentials. However, I can't search with a different binding, nor can I
> authenticate using pam_auth (from Squid) thats the "only" application I
> need working with ldap right now.  I issue the following:
> (sorry for level -1 log, but I don't know which level would suffice)

You don't supply the commands you are using to try and bind via things 
other than Manager.

> In fact, I don't know if I'm in front of two different problems or a
> single one, because of the bolded message in the log file (ber_get_next
> on fd 9 failed errno=11 (Resource temporarily unavailable) ).

Have you examined your ACL's?  You can ignore the resource temporarily 
unavailable error.

> As the remote message was about connection error to server, I thought it
> could be related to SSL. But I've compiled OpenLDAP with SSL support
> ***just in case*** I'd need it in the future. So I didn't create or setup
> OpenSSL server. Is it related to the problem? And other question: anybody
> knows which log level I can use to debug those "authentication" problems?

Having compiled it against OpenSSL should have no bearing on whether or not 
you can authenticate.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.279 / Virus Database: 264.10.2 - Release Date: 08/10/04

Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.279 / Virus Database: 264.10.2 - Release Date: 08/10/04