Re: BINDDN in ~/.ldaprc ignored(?)

[Frank Thommen <f.thommen@dkfz-heidelberg.de>]

On 02/09/2016 03:41 PM, Dan White wrote:
> On 02/09/16 10:28 +0100, Frank Thommen wrote:
> > BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong.
> >
> > /etc/openldap/ldap.conf is empty.
> >
> > ~/.ldaprc is:
> >
> > $ cat ~/.ldaprc
> > BINDDN      <myBindDN>
> > BASE        <myBaseDN>
> > URI         ldaps://<myLDAPServer>
> > TLS_REQCERT never
> > $
> >
> >
> > ldapsearch returns an error if I don't declare the bindDN on the
> > commandline:
> >
> > $ ldapsearch -W -v cn=xyz
> > ldap_initialize( <DEFAULT> )
> > Enter LDAP Password:
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> > 	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> > GSS failure.  Minor code may provide more information (No Kerberos
> > credentials available)
> > $
>
> For SASL binds, specify SASL_AUTHCID instead; however this option will be
> ignored by the sasl library for GSSAPI binds, in which case SASL_AUTHZID
> may be used if you need to specify an authz identity.

Thanks.  But even after reading through a dozen different webpages and 
documentations I still don't understand how a SASL_AUTHCID or 
SASL_AUTHZID looks like and from where I get the appropriate information.


> For non-sasl binds, specify '-x' on your command line, which does make use
> of BINDDN.

yes, that works fine.  Maybe it should be made clearer in the manpage, 
that BINDDN does not apply (?) when not using simple authentication?

frank