[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapsearch and sasl

To: "Dieter Kluenter" <dieter@dkluenter.de>, <openldap-software@OpenLDAP.org>
Subject: RE: ldapsearch and sasl
From: "James Wilde" <james_wilde@glocalnet.com>
Date: Thu, 17 Mar 2005 10:01:46 +0100
Content-class: urn:content-classes:message
Keywords: disclaimer
Thread-index: AcUqSsaasJahhXAdT5qu4x7hwEkZgAAgv67w
Thread-topic: ldapsearch and sasl

Thanks for your help in clarifying this, Dieter:

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org 
> [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of 
> Dieter Kluenter
> Sent: Wednesday, March 16, 2005 5:46 PM
> To: openldap-software@OpenLDAP.org
> Subject: Re: ldapsearch and sasl
> [...]
> > I can run both:
> > 
> > ldapsearch -x -b dc=glocalnet,dc=net -D 
> cn=Manager,dc=glocalnet,dc=net
> > '(objectclass=*)'
> 
> this is a anonymous bind as you don't specify a password
Not only that, but my information was false.  I can't run it without
either -w password or -W.  Sorry.

[...]
> > 
> > However, I cannot run:
> > 
> > ldapsearch -b dc=glocalnet,dc=net -D cn=Manager,dc=glocalnet,dc=net
> > '(objectclass=*)'
> > 
> > When I try, I get the following error message:
> > 
> > SASL/DIGEST-MD5 authentication started
> > Please enter your password:
> > ldap_sasl_interactive_bind_s: Internal (implementation 
> specific) error
> > (80)
> >          additional info: SASL(-13): user not found: no secret in 
> > database
> >
> 
> With option -D you define a distinguished name, thus you have 
> to initiate a simple bind with option -x and a password 
> option -W or -w, see man
> ldapsearch(1) for more information.

I thought my sasl lines in slapd.conf were intended to translate the dn
to sasl format and the sasl user Manager@glocalnet.net exists in the
sasldb2 database, together with the same password.  But it is of course
the other way round, that sasl converts user names to the dn and looks
for their password in the ldap directory.

I have been - and probably still am - a bit confused as to the role of
sasl in all this.  I have been assuming that the sole role of sasl is to
encrypt the communication between client and server.  I'm not at all
clear as to how many of my users I have to have in the sasl database,
but at the moment I only have Manager@glocalnet.net, that is the
equivalent of the rootdn in ldap.

I don't know why the creators of openldap moved to sasl instead of
staying with tls/ssl.  Maybe someone can explain this.



mvh/regards

James
 
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/

Follow-Ups:
- Re: ldapsearch and sasl
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Connection to ldap server failed
Next by Date: [OPENLDAP] iODBC + PostgreSQL ODBC compilation problem
Index(es):
- Chronological
- Thread