Sponsoring a canon_user plugin for LDAP lookup

Howard Chu hyc at highlandsun.com
Mon Mar 12 17:03:35 EST 2007


Torsten Schlabach wrote:
> Hi Dan!
> 
> Thank you for taking the time for that detailed writeup.
> 
> I have taken a blank server with a fresh Debian Etch installation and 
> installed the very same packages you did. I did not yet apply the 
> patches as I wanted to make sure I get all that stuff right out of the 
> box before I did into canonicalization.
> 
> Here is where I got stuck:
> 
> cyrus at Debian-pre40-64-minimal:~$ ldapwhoami -Y EXTERNAL \
>  >  -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
>  >  -X u:dwhite SASL/EXTERNAL
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>         additional info: SASL(-4): no mechanism available:

The -U flag is not meaningful with SASL/EXTERNAL. The "SASL/EXTERNAL" at 
the end of your command is erroneous. (In Dan's email it was merely a 
mis-wrapped line of text output.)

The EXTERNAL mechanism is only valid when you use an LDAP session that 
has an out-of-band mechanism for transmitting the client credentials to 
the server. That usually means a client certificate for TLS or IPSEC, or 
an ldapi:// session. You didn't specify any ldapi:// URI here and you 
didn't show what's in your ldap.conf file so presumably it's not using 
ldapi.

> 
> I do have the modules installed (which I know is a common gotcha):
> 
> cyrus at Debian-pre40-64-minimal:~$ dpkg --get-selections | grep sasl
> libsasl2                                        install
> libsasl2-2                                      install
> libsasl2-modules                                install
> libsasl2-modules-ldap                           install
> 
> Any idea what I am missing?
> 
> Do you have a 32 or 64 bit system?
> 
> Regards,
> Torsten
> 
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list