[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RES: Newbie question on client Auth and SSL
Quanah,
Maybe I expressed myself in a wrong way. With "binding" I mean "user".
So, what I'm trying is to ldapsearch from a remote host (i.e. client) and to
authenticate squid (using pam_auth). The commands on the remote host were:
# pam_auth -n squid_ldap ----- In this case, the user were "Anonymous" (as
far as I can tell)
# ldapsearch -Uadriela -b "dc=calu,dc=com,dc=br" "(uid=adriela)"
^^^^^^^
--- Now, this (adriela) is the user. I'm trying to search it own
entry
That's what I meant with "binding". Since I'm a real newbie, correct me if
my binding concept is wrong, please.
Anyway, both give error, when I expected than to be ok.
By ACL I assume that you're talking about "Access Control Policy" section
from /usr/local/etc/openldap/slapd.conf . Am I right? If so, my ACL is:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
Just as the "example" in that file. Even though, I got the same results as
without it.
[root@andromeda root]# ldapsearch -Uadriela -b "dc=calu,dc=com,dc=br"
"(uid=adriela)"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server
[root@andromeda root]#
[root@andromeda root]# pam_auth -n squid_ldap
adriela 123456
ERR
[root@andromeda root]#
SASL is always used when compiled with, or it may be switched on/off? I
mean, if SASL is the problem (I guess) without it I had a chance to sucess,
or that doesn't makes sense?
Regards,
Bruno
-----Mensagem original-----
De: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Enviada em: sexta-feira, 29 de outubro de 2004 16:45
Para: Bruno Di Rei Araujo; 'openldap-software@openldap.org'
Assunto: Re: Newbie question on client Auth and SSL
--On Friday, October 29, 2004 3:00 PM -0200 Bruno Di Rei Araujo
<BrunoA@calu.com.br> wrote:
> When I compile OpenLDAP with OpenSSL libraries present, does it enforces
> SSL utilization from then on?
No. You can enforce the use of SSL via setting "ssf" factors in your ACLs
however.
> I'm experiencing the following: I've setup my server and have it working
> fine. I can search (anonymous binding) and add entries using Manager
> credentials. However, I can't search with a different binding, nor can I
> authenticate using pam_auth (from Squid) thats the "only" application I
> need working with ldap right now. I issue the following:
> (sorry for level -1 log, but I don't know which level would suffice)
You don't supply the commands you are using to try and bind via things
other than Manager.
>
> In fact, I don't know if I'm in front of two different problems or a
> single one, because of the bolded message in the log file (ber_get_next
> on fd 9 failed errno=11 (Resource temporarily unavailable) ).
Have you examined your ACL's? You can ignore the resource temporarily
unavailable error.
> As the remote message was about connection error to server, I thought it
> could be related to SSL. But I've compiled OpenLDAP with SSL support
> ***just in case*** I'd need it in the future. So I didn't create or setup
> OpenSSL server. Is it related to the problem? And other question: anybody
> knows which log level I can use to debug those "authentication" problems?
Having compiled it against OpenSSL should have no bearing on whether or not
you can authenticate.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.279 / Virus Database: 264.10.2 - Release Date: 08/10/04
--
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.279 / Virus Database: 264.10.2 - Release Date: 08/10/04