[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication


Erik Lotspeich schrieb am 05.10.2010 22:04 Uhr:

I have two questions/concerns:

1. If I leave the "-Y plain" option off of the argument list to ldapsearch, I get "Invalid credentials":
As far as I know from other SASL using software (like Postfix), the
client always chooses the "securest" available mechanism offered by the
So if you do not minimize the mechanism offered, the client tries a
mechanism that might not be intended to be used.
[openldap may do it in another way, anyway - but I don't think so.]

I have a configuration file in /usr/local/sasl2 for slapd.conf; I
tried adding one for ldapsearch:

root@starfish:/usr/lib/sasl2# cat ldapsearch.conf pwcheck_method:
saslauthd mech_list: plain
I don't think this file will be used. The file must be names like the application name the software communicates to SASL, which is slapd for the openldap server.

Did you set
mech_list: plain
in slapd.conf in /usr/local/sasl2 to tell slapd to just offer PLAIN?