[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication

On 05/10/10 15:04 -0500, Erik Lotspeich wrote:
Hi Dan,

Thanks so much for your help.  I'm getting closer.

The ldapwhoami seems to work now.

erik@starfish:~/ldif$ ldapwhoami -U erik -H ldaps://localhost/
SASL/PLAIN authentication started
Please enter your password:
SASL username: erik

I have two questions/concerns:

1. If I leave the "-Y plain" option off of the argument list to
ldapsearch, I get "Invalid credentials":

That might indicate that your client utilities are attempting to use a
mechanism that is not able to complete your authentication, such as
DIGEST-MD5, or perhaps EXTERNAL.

A work around is to create a '.ldaprc' file in your home directory with the


which all OpenLDAP client utilities (and client library) should honor. See
the man page for ldap.conf(5) for details.

erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b
'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried
adding one for ldapsearch:

Is that /usr/lib/sasl2/slapd.conf or /usr/local/sasl2/slapd.conf (should be
the former)?

The file name is determined by the sasl library (or how OpenLDAP calls it),
and should always be 'slapd.conf' for OpenLDAP. The default location for
the file should be /usr/lib/sasl2, but may also be looked in /etc/sasl2,
depending on the version of cyrus your using, and what '--with-configdir'
option was passed to it at compile time.

root@starfish:/usr/lib/sasl2# cat ldapsearch.conf
pwcheck_method: saslauthd
mech_list: plain

This didn't seem to make a difference in allowing me to authenticate
without the "-Y" option.

2. I would like to use authenticated LDAP in Thunderbird.  I set
uid=erik,cn=plain,cn=auth as my Bind DN.  It asked for my password, but
always returned 'authentication failed'.

the 'uid=erik,cn=plain,cn=auth' is your derived authenticated identity
based on SASL authentication. Thunderbird will need to perform a SASL
bind using a username of 'erik' and your password. You cannot perform
simple authentication using that DN unless that DN actually exists in your

See chapter 15 of the OpenLDAP Software 2.4 Administrator's Guide for a
discussion of mapping authentication identities to DNs.

Dan White