LDAP auth failure

Chapman, Kyle Kyle_Chapman at G1.com
Tue Nov 27 11:01:05 EST 2007


Example: /usr/local/bin/ldapsearch -Y digest-md5 -U herm14266x -s base
-b ""

If things are set for digest-md5 use for the user in the directory (see
the opneldap doc), you should be able to get a good sasl bind (if sasl
is working ok).  The ldapsearch you showed was a simple bind as opposed
to a sasl bind which might use gssapi (AD, krb5), digest/cram-md5,
etc... 

Note that ldap+sasl validation is kind of jumping sasl checks on its
own.  If it works, then you MIGHT be able to think all of sasl is ok.
Others can say with more certainty if that is the case.  Check this next
statement with openldap doc, as I recall digest/cram-md5 required the
password (shared secret if you prefer) be stored in cleartext in the
directory.  Not sure if that is an issue in this case.  The slapd.conf
passwd is the rootdn passwd, which is not required, you can use sasl
mechs for this instead (see the openldap doc, many many options here).

-----Original Message-----
From: Shelley Waltz [mailto:shwaltz at cabm.rutgers.edu] 
Sent: Monday, November 26, 2007 1:31 PM
To: Chapman, Kyle
Cc: cyrus-sasl at lists.andrew.cmu.edu
Subject: RE: LDAP auth failure

installed 

[root at roadrunner src]# rpm --install cyrus-sasl-ldap-2.1.22-4.i386.rpm
[root at roadrunner src]# rpm --install cyrus-sasl-md5-2.1.22-4.i386.rpm

and stop/start ldap and saslauthd
results are the same.

regarding doing sasl binds with ldapsearch, I am somewhat confused.
the rootdn == roadrunner.cabm.rutgers.edu password in the slapd.conf
file is in {MD5}, however, the userPassword for each uid are in {CRYPT}
in my LDAP database.

What ldapsearch?



On Mon, 26 Nov 2007, Chapman, Kyle wrote:

   Your first ldapsearch example was with a non sasl bind (-x).  Try
   ldapsearch -Y <sasl mech> <other params>
   Looks like digest/cram-md5, gssapi mechs are not installed (at least
via
   rpm???)
   
   Perhaps installing these may help as well:
   cyrus-sasl-ldap-2.1.22-4
   cyrus-sasl-md5-2.1.22-4
   
   To be clear, all this will do is validate that ldap+sasl is working
ok,
   so do any of the other samples for sasl work (im used to the src
build
   where the test stuff is under 'sample').
   
   
   -----Original Message-----
   From: Shelley Waltz [mailto:shwaltz at cabm.rutgers.edu] 
   Sent: Monday, November 26, 2007 12:26 PM
   To: cyrus-sasl at lists.andrew.cmu.edu; Chapman, Kyle
   Subject: RE: LDAP auth failure
   
   [root at roadrunner openldap]# rpm -qa|grep sasl
   cyrus-sasl-lib-2.1.22-4
   cyrus-sasl-2.1.22-4
   cyrus-sasl-devel-2.1.22-4
   cyrus-sasl-plain-2.1.22-4
   
   I mentioned that the md5 password for the rootdn does indeed work in
my
   "luma" ldap browser/editor as well with ldapsearch non-anonymously.
   
   
   
   On Mon, 26 Nov 2007, Chapman, Kyle wrote:
   
      Is the digest-md5 or other sasl mechs installed (some distros did
the
      mechs as sep rpms, don't recall what RH did)?
      
      Can you do any sasl binds with ldapsearch with the dn of:
      cn=waltz_shelley,dc=cabm.rutgers,dc=edu 
    
   NOTICE: This E-mail may contain confidential information. If you are
not
   the addressee or the intended recipient please do not read this
E-mail
   and please immediately delete this e-mail message and any attachments
   from your workstation or network mail system. If you are the
addressee
   or the intended recipient and you save or print a copy of this
E-mail,
   please place it in an appropriate file, depending on whether
   confidential information is contained in the message.
   




More information about the Cyrus-sasl mailing list