Re: ldapsearch and sasl

[Howard Chu <hyc@symas.com>]

Dieter Kluenter wrote:

> Hi,
>
> "James Wilde" <james_wilde@glocalnet.com> writes:
>  
>
> > and get a full listing from the ldap directory.
> >
> > However, I cannot run:
> >
> > ldapsearch -b dc=glocalnet,dc=net -D cn=Manager,dc=glocalnet,dc=net 
> > '(objectclass=*)'
> >
> > When I try, I get the following error message:
> >
> > SASL/DIGEST-MD5 authentication started
> > Please enter your password:
> > ldap_sasl_interactive_bind_s: Internal (implementation specific) error
> > (80)
> >         additional info: SASL(-13): user not found: no secret in
> > database
> With option -D you define a distinguished name, thus you have to initiate a
> simple bind with option -x and a password option -W or -w, see man
> ldapsearch(1) for more information.
>  
Actually it's irrelevant. Without "-x" it will perform a SASL Bind and 
then the DN specified by -D is ignored.

> > I have the following lines in slapd.conf:
> >
> > sasl_pwcheck_method: saslauthd
> >    
> this is not a configuration parameter in /etc/openldap/slapd.conf.
>  
Perhaps he meant /usr/lib/sasl2/slapd.conf.

If that's the case, this is a problem because saslauthd only supports 
cleartext authentication mechanisms, not DIGEST-MD5. DIGEST-MD5 will 
only work with an auxprop (which is the default) mech. You're better off 
not creating /usr/lib/sasl2/slapd.conf and just running with the default 
settings there.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support