[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cmusaslsecretPLAIN attribute



Dieter Kluenter wrote:
John Burian <john@burian.org> writes:

Dieter Kluenter wrote:
From your remarks on CA and certificate a assume that you want to use
TLS, while your ldapwhoami seems to indicate that you want to make use
of PLAIN mechanism, which is disabled by default, unless you
provide a secure transport method, that is either TLS or local socket.
Unless you provide more information on the parameters used, no advice
can be given.

Correct, I want to be using SASL/PLAIN over TLS. The following works:

$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb'
Enter LDAP Password:
dn:uid=burianj,ou=People,dc=cqcb
Result: Success (0)

This is *not* a SASL bind
I know. That line was included to illustrate that a simple bind works, using my DN and password.
The same command without '-x -W', or ldapwhoami with no args, does not work:

$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password
verification failed

if you want a SASL bind with PLAIN mechanism and TLS, the ldapwhoami should look something like

$ ldapwhoami -Y PLAIN -U burianj -ZZ -H ldap://localhost
I'm not having a problem getting TLS to work. ldapwhoami is connecting over port 636, I see correct TLS messages in the log file, and ldapwhoami reports that it is authenticating with SASL/PLAIN. For the record, if I try the above command, forcing the connection over port 389 and using StartTLS, I get the same results as just using "ldapwhoami" or "ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'". The problem is simple authentication works, SASL/PLAIN authentication with the same DN and password fails.

John