[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/LDAP authentication questions?



Hi...

I have a couple of questions regarding SASL, OpenLDAP, and passwords.

I have SASL/OpenLDAP installed and the following fragment
from the slapd.conf:

database        ldbm
suffix          "o=NASH,dc=dell,dc=com"
rootdn          "cn=root,o=DAO,dc=dell,dc=com"
rootpw          {crypt}tcPo8hUG.cU7c
directory       /usr/local/openldap-1.2.11/var/NASH
index           uid pres,eq,sub
index           cn,sn pres,eq,sub

and I also specify two sasl user accounts as:

saslpasswd -c root
password=root
  
saslpasswd -c BSmith
password=BSmith

I add the following entries from an ldif file:

dn: o=NASH,dc=dell,dc=com
objectclass: dcObject
objectclass: organization
o: NASH
dc: dell

dn: uid=BSmith,o=NASH,dc=dell,dc=com
objectclass: top
objectclass: mcpactor
uid: BSeidel
cn: "Barry Smith"
sn: Barry Smith
userPassword: BSmith

I then execute the follwing:

ldapsearch -L -D uid=BSmith,o=NASH,dc=dell,dc=com -b "o=NASH,dc=dell,dc=com"
-s sub \
		'(objectclass=*)' -W

When ldap prompts for the password, if I put in "BSmith", I get the
following:

SASL/DIGEST-MD5 authentication started 
ldap_sasl_interactive_bind_s; Invalid credentials
	additional info: Client 'response' doesn't match what we generated.

If I execute the same command, but instead of supplying "BSmith" when
prompted for the
password I supply "root", everything works fine.  That is, I get the above
entry
back from the ldapsearch.  Do I need to add some ACLs to the slapd.conf file
to
allow access to users other than the rootdn?  My guess is that I do.

Thanks

Tom