saslauthd and multiple dc levels

Dan White dwhite at
Tue Dec 30 09:42:41 EST 2014

On 12/30/14 10:52 +0100, Gabriele Bulfon wrote:
>So, first I changed openldap configuration with "sasl-secprops  none" to have also plain auth enabled.
>Running pluginviewer to see the plugins:
>sonicle at www:~$ pluginviewer -m PLAIN

>List of server plugins follows
>Plugin "plain" [loaded],        API version: 4
>List of client plugins follows
>Plugin "plain" [loaded],        API version: 4

>sonicle at www:~$ ldapsearch -xLLLH 'ldap://localhost/' -s base -b '' 'supportedSASLMechanisms'
>supportedSASLMechanisms: SCRAM-SHA-1
>supportedSASLMechanisms: GS2-IAKERB
>supportedSASLMechanisms: GS2-KRB5
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: OTP
>supportedSASLMechanisms: CRAM-MD5
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: ANONYMOUS
>Now, try plain auth doing a earch of an existing user:
>sonicle at www:~$ ldapsearch -Y PLAIN -U test.user at -H ldap://localhost -W
>Enter LDAP Password:
>ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>additional info: SASL(-4): no mechanism available: No worthy mechs found
>Can't find a reason for ldapsearch not finding the plain mech.


Add a '-d -1' to get more detail. See the ldap.conf(5) manpage, and verify
you don't have any conflicting options set via relevant ENVIRONMENT

Check your syslog for any additional details (auth facility).

>Also, slapd has been built with sasl:
>sonicle at www:~$ ldd /sonicle/libexec/slapd
> =/sonicle/lib/
> =/lib/
> =/sonicle/lib/
> =/lib/
> =/lib/
> =/lib/
> =/lib/
> =/lib/
> =/lib/
> =/lib/
> =/lib/
> =/usr/sfw/lib/
> =/lib/
> =/lib/
> =/lib/

How about your libldap library and client utilities? Do they have access
to libsasl2 and the PLAIN shared library/mechanism? Try:

ldd `which ldapsearch`

And verify that the linked sasl library is the same as for slapd, or if
not, uses a good libsasl installation. Also, you may want to try ldapsearch
from another system with a known good sasl installation.

Dan White

More information about the Info-cyrus mailing list