[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pass-through authentication

To: Timothy Keith <timothy.g.keith@gmail.com>
Subject: Re: pass-through authentication
From: Dan White <dwhite@cafedemocracy.org>
Date: Mon, 4 Jan 2016 15:04:24 -0600
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CAGraDoEOfU5p4TBuNBzjmJoTGA3cPw_0FQALJikNo+RFH4nuZg@mail.gmail.com> <CAGraDoE=-f_-Vz-nbqb=yBF=b=7cjWieoXWz4dyAFoFVcKYRNA@mail.gmail.com>
User-agent: Mutt/1.5.24 (2015-08-30)

On Wed, Dec 30, 2015 at 7:04 PM, Dan White <dwhite@cafedemocracy.org> wrote:

Is DIGEST-MD5 available on your ldap server? Try:

ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b ""
supportedSASLMechanisms


On 12/31/15 09:51 -0600, Timothy Keith wrote:

Dan, that ldapsearch returns :
dn:
supportedSASLMechanisms: PLAIN


On Mon, Jan 4, 2016 at 1:16 PM, Dan White <dwhite@cafedemocracy.org> wrote:

On 01/04/16 09:41 -0600, Timothy Keith wrote:

ldapwhoami -Y PLAIN -H ldap://182.19.136.42 -U testuser

produces :

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
       additional info: SASL(-4): no mechanism available: No worthy mechs
found


On 01/04/16 14:47 -0600, Timothy Keith wrote:

pluginviewer returned this, as well as several other plugins :

List of server plugins follows


Plugin "plain" [loaded],        API version: 4
       SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
       security flags: NO_ANONYMOUS
       features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION


Something doesn't add up here. The remote server claims to support sasl
plain, and your local server claims to support it as well.

I suppose your server could be claiming support, but not really supporting
it without a security layer, in which case you might investigate doing
ssl/starttls.

See if you can get a hold of any logs from the server.

--
Dan White

Prev by Date: Re: pass-through authentication
Next by Date: Re: pass-through authentication
Index(es):
- Chronological
- Thread