[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl issue - but I don't want sasl atm

To: openldap-technical@openldap.org
Subject: Re: sasl issue - but I don't want sasl atm
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 2 Apr 2009 14:36:33 +0200
Cc: Da Rock <rock_on_the_web@comcen.com.au>
Content-disposition: inline
In-reply-to: <1238673260.44542.101.camel@laptop1.herveybayaustralia.com.au>
References: <1238370389.53317.93.camel@laptop1.herveybayaustralia.com.au> <49D499B0.4000402@stroeder.com> <1238673260.44542.101.camel@laptop1.herveybayaustralia.com.au>
User-agent: KMail/1.11.2 (Linux/2.6.29-desktop-1mnb; KDE/4.2.2; x86_64; ; )

On Thursday 02 April 2009 13:54:20 Da Rock wrote:
> On Thu, 2009-04-02 at 12:55 +0200, Michael Ströder wrote:
> > Da Rock wrote:
> > > On Thu, 2009-04-02 at 09:59 +0200, Buchan Milne wrote:
> > >> On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
> > >>> On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
> > >>>> Da Rock wrote:
> > >>>>> so I'm trying to
> > >>>>> work out how to setup the system to do a simple bind
> > >>>>
> > >>>> ldapsearch -x -D <bind-DN>
> > >>>
> > >>> I know that, thanks, but this is affecting other apps from obtaining
> > >>> data from the system. I can also just go ldapsearch -x for anonymous.
> > >>> It appears I'm all in or bust! Unless I can set it up so apps can do
> > >>> simple bind...
> > >>
> > >> If you can do a simple bind (anonymous, or authenticated), there (in
> > >> most cases) is nothing preventing other applications from doing simple
> > >> binds. Having SASL support compiled in to the server does not prevent
> > >> other applications for doing simple binds.
> > >>
> > >> Maybe you should provide more information about the applications in
> > >> question, and how they are configured.
> > >>
> > >> (Note: In the past Apple's LDAP client software for Mac OS seems to
> > >> use whichever SASL mechanisms are advertised by the LDAP server, but
> > >> this again isn't about SASL support being compiled in or not).
> > >
> > > Thats what I would have figured, yet I get no joy, nothing I can see
> > > out of the ordinary in the logs, and all the apps are auth types
> > > (courier, pam, postfix)- plus records for bind.
> > >
> > > Bind doesn't bind to the ldap, and I'm trying to setup the others to do
> > > the same. Obviously, courier has to bind to confirm auth- but only as
> > > the user (not bind as courier, then again as the user).
> > >
> > > Bind works: tested that myself. The others fail miserably.
> > >
> > > I'm not entirely sure what else I need to add exactly, the platform is
> > > freebsd with openldap built with sasl from ports.
> > >
> > > Before anyone suggests it, I already have a mail server running
> > > (postfix, courier); I want ldap as lookup source to ease
> > > administration. The pam is completely new to me, I'm following a lot of
> > > howtos on the web to compile a picture of how it all works.
> > >
> > > Now as to pam, I thought it must be my ineptitude in configuration, so
> > > I put it on hold and moved to something easier. Unfortunately I hit a
> > > similar snag there with the imap auth, hence I looked at the ldapsearch
> > > angle. Seems I could be wrong there based on comments received....
> >
> > Sorry, nothing in your postings gives enough information to help you.
> >
> > Posting *relevant* excerpts of configuration and log files and some more
> > information about the client applications is quite helpful.
>
> Sorry I'm being a PITA, but I'm really not sure what I can/need post.

Excerpt from named.conf, and an excerpt from whichever log file you have 
configured slapd to log to, which shows the BIND operation failing.

> Postfix/courier simply connect and request information based on filters.

Where is your postfix configuration regarding ldap?

Where's your authldaprc?

Where is your test with ldapsearch doing exactly what authlib is configured to 
do?

> Binding is only necessary (apparently) to authenticate a user (Courier).
> The filter looks for (usually) the mailbox name/alias and whether the
> account is active, the physical maildir, etc.

I think most people on this list understand how these tools would work. But, 
where is the log from authdaemon showing a failure?

> Logs don't appear to be showing much- nothing I can tell anyway.

Why not? Have you set an appropriate loglevel in slapd.conf ? Have you 
configured your syslog system to log syslog messages from slapd (see 'man 
slapd', look at the -l option) to a log file? Does anything interesting appear 
there?

What have you got in your slapd.conf file?

> The problem is mainly to do with auth. Perhaps the best idea is to point
> me to some reputable and reliable sources of information on how to do
> this?

The project documentation should be sufficient ... but it doesn't cover courier 
authdaemon, postfix, bind or any of the other software, and it's difficult to 
recommend specifics if you can't say what isn't working.

> I'll try and struggle along on my own until I have some more
> firmer evidence.

Well, since it seems you provide any of the information that only you have 
access to, that people on this list need to help, that does seem to be your 
only option.


Regards,
Buchan

References:
- Re: sasl issue - but I don't want sasl atm
  - From: Michael Ströder <michael@stroeder.com>
- Re: sasl issue - but I don't want sasl atm
  - From: Da Rock <rock_on_the_web@comcen.com.au>

Prev by Date: Re: sasl issue - but I don't want sasl atm
Next by Date: Re: unable to get openldap to bind to AD
Index(es):
- Chronological
- Thread