[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication

To: Erik Lotspeich <erik@lotspeich.org>
Subject: Re: OpenLDAP session authentication
From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
Date: Thu, 07 Oct 2010 10:24:09 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <4CAB84D8.3030002@lotspeich.org>
References: <4C9B8E0E.8020708@lotspeich.org> <20100923221325.GB2788@dan.olp.net> <4CA35909.3010702@lotspeich.org> <20101003033809.GA4634@dan.olp.net> <4CAB84D8.3030002@lotspeich.org>
User-agent: Thunderbird 2.0.0.18 (Windows/20081105)

Erik,

Erik Lotspeich schrieb am 05.10.2010 22:04 Uhr:

I have two questions/concerns:
1. If I leave the "-Y plain" option off of the argument list toldapsearch, I get "Invalid credentials":

As far as I know from other SASL using software (like Postfix), the
client always chooses the "securest" available mechanism offered by the
server.
So if you do not minimize the mechanism offered, the client tries a
mechanism that might not be intended to be used.
[openldap may do it in another way, anyway - but I don't think so.]

I have a configuration file in /usr/local/sasl2 for slapd.conf; I
tried adding one for ldapsearch:

root@starfish:/usr/lib/sasl2# cat ldapsearch.conf pwcheck_method:
saslauthd mech_list: plain

I don't think this file will be used. The file must be names like theapplication name the software communicates to SASL, which is slapd forthe openldap server.


Did you set
mech_list: plain
in slapd.conf in /usr/local/sasl2 to tell slapd to just offer PLAIN?


Marc

References:
- Re: OpenLDAP session authentication
  - From: Dan White <dwhite@olp.net>
- Re: OpenLDAP session authentication
  - From: Erik Lotspeich <erik@lotspeich.org>

Prev by Date: Re: best practice and account management (passwd)
Next by Date: questions about openldap replication
Index(es):
- Chronological
- Thread