Failing at 1st test-the-SASL-server steps

Ric relentless at hush.com
Fri Sep 5 12:16:24 EDT 2008 

Hi Sean,

On Fri, 05 Sep 2008 08:14:31 -0700 Sean O'Malley <omalleys at msu.edu> 
wrote:
>It is better in the fact, you are pretty sure you have a 
>configuration issue and you are connecting :)

I'm not so sure I'm connecting to the right server :-/

>You may need -u <username> for the client piece which corresponds 
>to your kerberos principal.

What should "-u <username>" be an option to?  Usage for the sample 
client & server apps says just,

  usage: client [-p port] [-s service] [-m mech] host
  usage: server [-p port] [-s service] [-m mech]

>You actually need '-s slapd'

My understanding was that the (service) had to be defined in 
/etc/services.

On my standard install,

 egrep -i "ldap|slapd" /etc/services
  ldap            389/tcp    # Lightweight Directory Access Protocol
  ldap            389/udp    # Lightweight Directory Access Protocol
  ldaps           636/tcp    # ldap protocol over TLS/SSL (was 
sldap)
  ldaps           636/udp    # ldap protocol over TLS/SSL (was 
sldap)
  www-ldap-gw     1760/tcp    # www-ldap-gw
  www-ldap-gw     1760/udp    # www-ldap-gw
  msft-gc-ssl     3269/tcp   # Microsoft Global Catalog with 
LDAP/SSL
  msft-gc-ssl     3269/udp   # Microsoft Global Catalog with 
LDAP/SSL
  ldap-admin      3407/tcp   # LDAP admin server port
  ldap-admin      3407/udp   # LDAP admin server port
  bmc_ctd_ldap	6301/tcp   # BMC CONTROL-D LDAP SERVER
  bmc_ctd_ldap	6301/udp   # BMC CONTROL-D LDAP SERVER

So, 'ldap' exsits there -- and I used it.  'slapd' does not -- So 
do I have to add something to /etc/services, and then use that?

> and a corresponding slapd.conf
> in /usr/lib/sasl2/slapd.conf

Reading @ cyrus-sasl's docs/sysadmin.html,

    "The default configuration file
    
    By default, the Cyrus SASL library reads it's options from 
/usr/lib/sasl2/App.conf (where "App" is the application defined 
name of the application). For instance, Sendmail reads it's 
configuration from "/usr/lib/sasl2/Sendmail.conf" and the sample 
server application included with the library looks in 
"/usr/lib/sasl2/sample.conf"."

So, which do I need?

    /usr/lib/sasl2/slapd.conf
    /usr/lib/sasl2/sample.conf

or,

    /usr/lib/sasl2/cyrus_sasl_sample_server.conf

Also, on my system,

	locate slapd.conf
		/etc/openldap/slapd.conf
		/etc/sasl2/slapd.conf
		/usr/share/man/man5/slapd.conf.5.gz

Note that the sasl2's slapd.conf is, by default, apparently in 
/etc/sasl2/, not in /usr/lib/sasl2, which both you & the docs 
reference.

Finally,

	find /usr -type d | grep sasl | grep lib
		/usr/lib64/sasl2


>that simply reads something like:
>mech_list: GSSAPI

Given the confusion above, for a test I simply covered all bases 
... following as best I can what I've found on the web,

 vi /usr/lib64/sasl2/slapd.conf
  log_level: 7
  pwcheck_method: auxprop
  mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
  auxprop_plugin: sasldb
  sasldb_path: /etc/sasldb2

then, 

  setenv F /usr/lib64/sasl2/slapd.conf
  mkdir /usr/lib/sasl2
  cp -f $F /usr/lib/sasl2/slapd.conf
  cp -f $F /usr/lib/sasl2/sample.conf
  cp -f $F /usr/lib/sasl2/cyrus_sasl_sample_server.conf

  cp -f $F /etc/sasl2/slapd.conf
  cp -f $F /etc/sasl2/sample.conf
  cp -f $F /etc/sasl2/cyrus_sasl_sample_server.conf

With all that, I see just

 cyrus_sasl_sample_server -p 389 -s ldap -m GSSAPI
  trying 2, 1, 6
  bind: Address already in use
  trying 10, 1, 6
  socket: Address family not supported by protocol
  Couldn't bind to any socket

 service ldap stop
  Shutting down ldap-server                                         
    done
 cyrus_sasl_sample_server -p 389 -s ldap -m GSSAPI
  trying 2, 1, 6
  trying 10, 1, 6
  socket: Address family not supported by protocol

@ syslog:
 Sep  5 09:08:31 dirsvr cyrus_sasl_sample_server: auxpropfunc error 
invalid parameter supplied
 Sep  5 09:08:31 dirsvr cyrus_sasl_sample_server: _sasl_plugin_load 
failed on sasl_auxprop_plug_init for plugin: ldapdb

and,

 cyrus_sasl_sample_client -p 389 -s ldap -m GSSAPI dirsvr.domain.com
  connect: Connection refused
 service ldap start
  Starting ldap-server                                              
    done
 cyrus_sasl_sample_client -p 389 -s ldap -m GSSAPI dirsvr.domain.com

@ syslog:
 Sep  5 09:13:16 dirsvr slapd[30574]: conn=2 fd=11 ACCEPT from 
IP=10.0.1.16:48946 (IP=10.0.1.16:389)

>I can't find my notes atm. but that should give you a couple of 
>more things to try.

The docs seem to me to be a mess; at least, they're horribly 
confusing.

Thanks for your help!

Ric

--
Click here to become certified in medical billing and training at these schools.
http://tagline.hushmail.com/fc/Ioyw6h4frUjQf5M0HIILZ64Z3Gw4qUKNh4BsVeh6W1xpD3eLQ0FCdc/

More information about the Cyrus-sasl mailing list