Sponsoring a canon_user plugin for LDAP lookup

Dan White dwhite at olp.net
Mon Mar 12 17:13:42 EST 2007 

Right. The SASL/EXTERNAL was a copy and paste error, the
command was supposed to end with '...u:dwhite'. The -U
was unnecessary. This command does the same thing:

ldapwhoami -Y EXTERNAL -X u:dwhite

The contents of my /etc/ldap/ldap.conf file are:
=========
BASE    dc=nodomain
URI     ldapi:///
=========

and I forgot to mention that I modified /etc/default/slapd
like so, so that slapd listens on ldapi:

SLAPD_SERVICES="ldap:/// ldapi:///"

- Dan

Howard Chu wrote:
> Torsten Schlabach wrote:
>> Hi Dan!
>>
>> Thank you for taking the time for that detailed writeup.
>>
>> I have taken a blank server with a fresh Debian Etch installation and 
>> installed the very same packages you did. I did not yet apply the 
>> patches as I wanted to make sure I get all that stuff right out of 
>> the box before I did into canonicalization.
>>
>> Here is where I got stuck:
>>
>> cyrus at Debian-pre40-64-minimal:~$ ldapwhoami -Y EXTERNAL \
>>  >  -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
>>  >  -X u:dwhite SASL/EXTERNAL
>> SASL/EXTERNAL authentication started
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>         additional info: SASL(-4): no mechanism available:
>
> The -U flag is not meaningful with SASL/EXTERNAL. The "SASL/EXTERNAL" 
> at the end of your command is erroneous. (In Dan's email it was merely 
> a mis-wrapped line of text output.)
>
> The EXTERNAL mechanism is only valid when you use an LDAP session that 
> has an out-of-band mechanism for transmitting the client credentials 
> to the server. That usually means a client certificate for TLS or 
> IPSEC, or an ldapi:// session. You didn't specify any ldapi:// URI 
> here and you didn't show what's in your ldap.conf file so presumably 
> it's not using ldapi.
>
>>
>> I do have the modules installed (which I know is a common gotcha):
>>
>> cyrus at Debian-pre40-64-minimal:~$ dpkg --get-selections | grep sasl
>> libsasl2                                        install
>> libsasl2-2                                      install
>> libsasl2-modules                                install
>> libsasl2-modules-ldap                           install
>>
>> Any idea what I am missing?
>>
>> Do you have a 32 or 64 bit system?
>>
>> Regards,
>> Torsten
>>
>>
>
>

More information about the Cyrus-sasl mailing list