saslauthd and multiple dc levels

Dan White dwhite at olp.net
Tue Dec 30 09:42:41 EST 2014 

On 12/30/14 10:52 +0100, Gabriele Bulfon wrote:
>So, first I changed openldap configuration with "sasl-secprops  none" to have also plain auth enabled.
>Running pluginviewer to see the plugins:
>sonicle at www:~$ pluginviewer -m PLAIN

>List of server plugins follows
>Plugin "plain" [loaded],        API version: 4
>List of client plugins follows
>Plugin "plain" [loaded],        API version: 4

>sonicle at www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms'
>dn:
>supportedSASLMechanisms: SCRAM-SHA-1
>supportedSASLMechanisms: GS2-IAKERB
>supportedSASLMechanisms: GS2-KRB5
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: OTP
>supportedSASLMechanisms: CRAM-MD5
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: ANONYMOUS
>Now, try plain auth doing a earch of an existing user:
>sonicle at www:~$ ldapsearch -Y PLAIN -U test.user at sonicle.com -H ldap://localhost -W
>Enter LDAP Password:
>ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>additional info: SASL(-4): no mechanism available: No worthy mechs found
>Can't find a reason for ldapsearch not finding the plain mech.

Odd.

Add a '-d -1' to get more detail. See the ldap.conf(5) manpage, and verify
you don't have any conflicting options set via relevant ENVIRONMENT
VARIABLES or FILES.

Check your syslog for any additional details (auth facility).

>Also, slapd has been built with sasl:
>sonicle at www:~$ ldd /sonicle/libexec/slapd
>libdb-4.8.so =/sonicle/lib/libdb-4.8.so
>libpthread.so.1 =/lib/libpthread.so.1
>libsasl2.so.2 =/sonicle/lib/libsasl2.so.2
>libdl.so.1 =/lib/libdl.so.1
>libssl.so.0.9.8 =/lib/libssl.so.0.9.8
>libcrypto.so.0.9.8 =/lib/libcrypto.so.0.9.8
>libresolv.so.2 =/lib/libresolv.so.2
>libgen.so.1 =/lib/libgen.so.1
>libnsl.so.1 =/lib/libnsl.so.1
>libsocket.so.1 =/lib/libsocket.so.1
>libc.so.1 =/lib/libc.so.1
>libgcc_s.so.1 =/usr/sfw/lib/libgcc_s.so.1
>libmd.so.1 =/lib/libmd.so.1
>libmp.so.2 =/lib/libmp.so.2
>libm.so.2 =/lib/libm.so.2

How about your libldap library and client utilities? Do they have access
to libsasl2 and the PLAIN shared library/mechanism? Try:

ldd `which ldapsearch`

And verify that the linked sasl library is the same as for slapd, or if
not, uses a good libsasl installation. Also, you may want to try ldapsearch
from another system with a known good sasl installation.

-- 
Dan White

More information about the Info-cyrus mailing list