[Date Prev][Date Next]
Re: open ldap with SASL & GSSAPI
Maxwell Bottiger wrote:
On Wed, 2006-11-08 at 18:28 -0800, Howard Chu wrote:
SASL-enabled servers don't talk to saslauthd to perform GSSAPI
authentication, so that is out of the equation.
I figure this is one of three possible problems.
1 - saslauthd isn't working right
That's very interesting. If openldap and other sasl enabled services
don't need saslauthd, what does use it? Just curious. Maybe it's
something I can turn off.
I generally don't build saslauthd; I find it to be more of a liability
than anything else. It only supports plaintext password authentication.
The couple things that it can do that nothing else does, is authenticate
a plaintext password against PAM, IMAP, and some other external mechanisms.
The only reason OpenLDAP supports SASL is to provide strong
authentication mechanisms. Going to the trouble of setting up SASL, and
then only using it with plaintext, just doesn't make any sense.
I have some more information from playing around this afternoon. The
first thing I found is that ldap authentication is still working for my
Fedora 5 computers. The ldap queries for users are failing only for the
Fedora 6 machine. Since the setups are identical except for releases, I
submitted a bug report to redhat's bugzilla.
There are two logs attached to the bug report which detail this problem.
They are both kind of lengthy, so I won't list them here.
That having been said, I'm really really leaning toward me not setting
up these queries correctly. ldapsearch is still failing regardless of
whether or not logins are working, and they are failing with the same
Thanks for your quick response.
First you should follow Kurt's advice and get the SASL sample client and
server working, before leaping to any other conclusions.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/