[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication - please help



Hello,

Thanks to those of you who took the time to respond, both publicly and 
privately, to my SASL question.  Thanks in particular to Dennis Glatting, 
whose suggestions I've implemented.  However, SASL is still not working.  You 
might imagine my frustration after 30 hours.

I have since attepted to re-compile OpenLDAP 2.0.11 in order to enable SASL 
authentication.  make test reports no errors.  Here is the configure string I 
used:

[root@server openldap-2.0.11]./configure --with-cyrus-sasl --without-kerberos 
--enable-crypt --enable-spasswd

Using ldapsearch to retrieve the value of supportedSASLMechanisms:

[root@server openldap-2.0.11]# ldapsearch -x -L -s "base" -b "" 
supportedSASLMechanisms
version: 1

#
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:

# search result

# numResponses: 2
# numEntries: 1

Another way:

[root@server openldap-2.0.11]# ldapsearch -d 2
ber_flush: 64 bytes to sd 3
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ldap_write: want=64, written=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  09                                                 .
ldap_read: want=9, got=9
  0000:  02 01 01 64 04 04 00 30  00                        ...d...0.
ldap_read: want=1, got=1
  0000:  30                                                 0
ldap_read: want=1, got=1
  0000:  0c                                                 .
ldap_read: want=12, got=12
  0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........
request 1 done
ldap_sasl_interactive_bind_s: No such attribute

My slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/local.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on
disallows       bind_krbv4

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
rootdn          "cn=manager,dc=company,dc=com"
rootpw          {crypt}blxwnqugJA8Hw
suffix          "dc=company,dc=com"

updatedn        "UID=MANAGER+REALM=SERVER.COMPANY.COM"
updateref       ldap://ldap.company.com

security        update_ssf=112

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /usr/local/var/openldap-ldbm
mode    0600
 
# Indices to maintain
index   objectClass                             eq,pres
index   uid                                     eq
 
index   cn                                      eq,sub
index   mail                                    eq,pres,sub
index   givenName                               eq,sub
index   sn                                      eq,sub
index   o                                       eq,sub
 
#ldbm access control definitions
access to attr=userPassword
        by dn="cn=manager, dc=company, dc=com" write
        by * none
 
access to *
        by anonymous read
        by dn="cn=manager, dc=company, dc=com" write
 
dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000


On Friday 24 August 2001 06:48 am, you wrote:
> Hello everyone,
>
> After 25 hours of work on installing OpenLDAP 2.0.11 with SASL, I'm writing
> to you for help.  I realize this is one of the most commonly asked
> questions on the list. I have already reviewed the 518 posts that are in
> the list archive (search for "SASL;2001") and have not found my answer. 
> However, I have printed out and followed the instructions in those that
> seemed most promising.  I have also reviewed the man pages, the systems
> administrators guide, an "Exchange Server Replacement How-To", and a "LDAP
> v3 How-To" by Turbo Fredrikson.
>
> I would like to use SASL to encrypt the username & password used in
> replication.  I don't mind if the rest of the replication traffic goes
> plain text over the wire - user passwords aren't being stored on the LDAP
> server. I don't see any need to install Kerberos.  You'll note in the
> installation instructions, I specifically mention OpenSSL - I don't believe
> this is required to use SASL but I've installed it "just in case".
>
> My most recent attempt was working on a clean install on a blank hard
> drive. I would like to present you with the problem, and with the steps I
> have taken to install the relevant software.  These steps are being written
> as part of an installation guide for a project I am working on.  So that
> you know, OpenLDAP, OpenSSL, and Cyrus SASL are all compiled from the most
> recent source versions.  As well, I confirmed that SASL was working using
> the sample-server and sample-client programs.  The 'make test' for OpenLDAP
> completed without error.
>
> I am doing this in the hopes that someone who has successfully configured
> OpenLDAP with SASL will email me with a solution, or some direction to
> take. I have followed what few instructions that I have found to the best
> of my abilities.
>
> Note: this is a long email.  If you feel like skipping down to the next
> section, use your find command and look for ---
>
> ---The problem, as seen from the client machine---
>
> [root@server /root]# ldapsearch -x -b "" -s base -LLL
> supportedSASLMechanisms dn:
>
> [root@server /root]# ldapsearch -d 2
> ber_flush: 64 bytes to sd 3
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02  
> 0>...c9......... 0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74  
> ..........object 0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74  
> class0...support 0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73  
> edSASLMechanisms ldap_write: want=64, written=64
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02  
> 0>...c9......... 0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74  
> ..........object 0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74  
> class0...support 0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73  
> edSASLMechanisms ldap_read: want=1, got=1
>   0000:  30                                                 0
> ldap_read: want=1, got=1
>   0000:  09                                                 .
> ldap_read: want=9, got=9
>   0000:  02 01 01 64 04 04 00 30  00                        ...d...0.
> ldap_read: want=1, got=1
>   0000:  30                                                 0
> ldap_read: want=1, got=1
>   0000:  0c                                                 .
> ldap_read: want=12, got=12
>   0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........
> request 1 done
> ldap_sasl_interactive_bind_s: No such attribute
>
> ---The problem, as seen from the primary LDAP server---
>
> [root@ldap openldap]# /usr/local/libexec/slurpd -d 255
> Config: opening config file "/usr/local/etc/openldap/slapd.conf"
> Config: (include                /usr/local/etc/openldap/schema/core.schema)
> Config: (include               
> /usr/local/etc/openldap/schema/cosine.schema) Config: (include
> /usr/local/etc/openldap/schema/inetorgperson.schema)
> Config: (include               
> /usr/local/etc/openldap/schema/local.schema) Config: (pidfile              
>  /usr/local/var/slapd.pid)
> Config: (argsfile       /usr/local/var/slapd.args)
> Config: (loglevel 0)
> Config: (idletimeout 30)
> Config: (sizelimit 100)
> Config: (timelimit 120)
> Config: (defaultsearchbase "dc=company,dc=com")
> Config: (schemacheck on)
> Config: (database       ldbm)
> Config: (replica host=server.company.com:389
> binddn="cn=LDAProot,dc=company,dc=com"   bindmethod=sasl
> saslmech=DIGEST-MD5 authcID="server.company.com"   realm=server.company.com
> credentials="c19vffxx")
> Config: ** successfully added replica "server.company.com:389"
> Config: (replogfile     /usr/local/etc/openldap/replog/replog.log)
> Config: (lastmod                off)
> Config: (suffix         "dc=company,dc=com")
> Config: (rootdn         "cn=LDAProot,dc=company,dc=com")
> Config: (rootpw         {crypt}SAf0p11tbz3MQ)
> Config: (directory      /usr/local/var/openldap-ldbm)
> Config: (index  objectClass                             eq,pres)
> Config: (index  uid                                     eq)
> Config: (index  cn                                      eq,sub)
> Config: (index  mail                                    eq,pres,sub)
> Config: (index  givenName                               eq,sub)
> Config: (index  sn                                      eq,sub)
> Config: (index  o                                       eq,sub)
> Config: (access to attr=userPassword    by dn="cn=LDAPRoot, dc=company,
> dc=com" write    by * none)
> Config: (access to *    by anonymous read       by dn="cn=LDAPRoot,
> dc=company, dc=com" write)
> Config: (dbnolocking)
> Config: (dbnosync)
> Config: (cachesize 10000)
> Config: (dbcachesize 100000)
> Config: ** configuration file successfully read and parsed
> Retrieved state information for server.company.com:389 (timestamp
> 997309400.0) begin replication thread for server.company.com:389
> Replica server.company.com:389, skip repl record for
> uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
> Initializing session to server.company.com:389
> ldap_create
> bind to server.company.com as server.company.com via DIGEST-MD5 (SASL)
> ldap_interactive_sasl_bind_s: user selected: DIGEST-MD5
> ldap_int_sasl_bind: DIGEST-MD5
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host
> ldap_new_socket: 6
> ldap_prepare_socket: 6
> ldap_connect_to_host: Trying 192.168.1.2:389
> ldap_connect_timeout: fd: 6 tm: -1 async: 0
> ldap_ndelay_on: 6
> ldap_is_sock_ready: 6
> ldap_ndelay_off: 6
> ldap_int_sasl_open: server.company.com
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ber_flush: 54 bytes to sd 6
>   0000:  30 34 02 01 01 60 2f 02  01 03 04 1c 63 6e 3d 4c  
> 04...`/.....cn=L 0010:  44 41 50 72 6f 6f 74 2c  64 63 3d 73 61 66 65 63  
> DAProot,dc=compan 0020:  6f 2c 64 63 3d 63 6f 6d  a3 0c 04 0a 44 49 47 45  
> y,dc=com....DIGE 0030:  53 54 2d 4d 44 35                                 
> ST-MD5 ldap_write: want=54, written=54
>   0000:  30 34 02 01 01 60 2f 02  01 03 04 1c 63 6e 3d 4c  
> 04...`/.....cn=L 0010:  44 41 50 72 6f 6f 74 2c  64 63 3d 73 61 66 65 63  
> DAProot,dc=compan 0020:  6f 2c 64 63 3d 63 6f 6d  a3 0c 04 0a 44 49 47 45  
> y,dc=com....DIGE 0030:  53 54 2d 4d 44 35                                 
> ST-MD5 ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: server.company.com  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Thu Aug 23 12:31:48 2001
>
> ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** Response Queue:
>    Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> do_ldap_select
> read1msg: msgid 1, all 1
> ber_get_next
> ldap_read: want=1, got=1
>   0000:  30                                                 0
> ldap_read: want=1, got=1
>   0000:  0c                                                 .
> ldap_read: want=12, got=12
>   0000:  02 01 01 61 07 0a 01 07  04 00 04 00               ...a........
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x0807f120 ptr=0x0807f120 end=0x0807f12c len=12
>   0000:  02 01 01 61 07 0a 01 07  04 00 04 00               ...a........
> ldap_read: message type bind msgid 1, original id 1
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
>   0000:  61 07 0a 01 07 04 00 04  00                        a........
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 1
> request 1 done
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_sasl_bind_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807f120 ptr=0x0807f123 end=0x0807f12c len=9
>   0000:  61 07 0a 01 07 04 00 04  00                        a........
> ldap_msgfree
> ldap_err2string
> Error: LDAP SASL for server.company.com:389 failed: Authentication method
> not supported
> ldap_unbind
> ldap_free_connection
> ldap_send_unbind
> ber_flush: 7 bytes to sd 6
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_write: want=7, written=7
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_free_connection: actually freed
> fm: exiting
> Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
> replica server.company.com:389
> end replication thread for server.company.com:389
> slurpd: terminated.[
>
> --- Steps to Reproduce ---
>
> 1.To begin, insert Red Hat Linux CD 1 in the CD-ROM drive.  Turn off the
> computer and turn it on again.
> 2."Welcome to Red Hat Linux 7.1" will appear on screen.  Press the ENTER
> key. 3.Debugging information will appear on screen.  The screen will
> briefly turn blue, and then additional debugging information will appear. 
> Wait for the Red Hat logo to appear on screen.
> 4.In Language Selection, confirm that "English" is selected and press Next.
> 5.In Keyboard Configuration, confirm that "Generic 105-key (Intl) PC" is
> selected. Confirm that U.S. English is selected.  Select "Disable dead
> keys." Press Next.
> 6.In Mouse Configuration, select "2 Button Mouse (PS/2)".  Select "Emulate
> 3 buttons".  Press next.
> 7.On the Welcome to Red Hat Linux screen, press Next.
> 8.In Install Options, select "Server System".
> 9.In Disk Partitioning, select "Manually partition with Disk Druid" and
> press Next
> 10.Using the mouse, delete any existing partitions.  Using the Add button,
> add the following partitions:
> Mount point: (Not set) Size = 2x Physical RAM in server. Partition Type:
> Linux Swap.
> Mount point: /var Size = 650 Partition Type: Linux Native
> Mount point: / Use remaining space - checked.  Partition Type: Linux
> Native. 11.In Choose Partitions to Format select all partitions.  As well,
> select "Check for bad blocks while formatting".
> 12.In Network Configuration, select the eth0 tab.  Clear "Configure using
> DHCP."   Type in the appropriate values for IP address, NetMask, Network,
> Broadcast, Hostname, Gateway, and the DNS servers.  If there are multiple
> NICs in the server, select the eth1, eth2, etc. tabs and set appropriate
> values.
> 13.In Firewall Configuration, select "No Firewall".  Later in this guide,
> the Bastille Firewall will be installed. Detailed instructions for how to
> configure this firewall are provided in the Red Hat Linux Configuration
> Guide.  Press Next.
> 14.In Language Support Selection, confirm that "English (USA)" is selected.
> Press Next.
> 15.In Time Zone Selection, select "America/Vancouver".  Press Next.
> 16.In Account Configuration, type the Root Password in "Root Password" and
> in "Confirm".  Add a second account admin with the following properties:
> Account Name: admin
> Password: (your password)
> Password (confirm): (your password)
> Full Name: administrative user
> Press "Add" to add the new account.  Do not add additional accounts at this
> time.
> 17.In Selecting Package Groups, confirm that all packages are cleared.
> Select "Select individual packages", and press Next.
> 18.The next screen will be titled "Individual Package Selection".  A
> tree-view of available package categories will appear on the left side of
> the screen, while individual packages appear on the right.
> Applications - Communications: press "Unselect all in group".
> Applications - Editors: press "Unselect all in group".
> Applications - Internet: clear "elm", "fetchmail", "finger", "ftp", "im",
> "metamail", "ncftp", "nmh", "pine", "rsh", "rsync", "slrn", "talk", and
> "telnet".
> Applications - Publishing: clear "ghostscript" and "ghostscript-fonts".
> Applications - System: clear "isdn4k-utils".  Select "linuxconf" and
> "mtools".  Clear "rdist".  Select "samba-client" and "samba-common".
> Development - Libraries - clear openssl-devel
> System Environment - Base: clear "chkfontpath".
> System Environment - Daemons: clear "LPRng", "XFree86-xfs", "anonftp",
> "finger server", "inews", "ppp", "printconf", "rp-ppoe", "rsh-server",
> "rusers", "rusers-server", "rwall", "rwall-server", "rwho", "talk-server",
> "telnet-server", "wu-ftpd", and "wvdial".
> System Environment - Kernel: select "kernel-enterprise".
> System Environment - Libraries: clear "VFlib2"
> User Environment - X: clear "urw-fonts" and "xtt-fonts".
> 17.Press Next.
> 18.In About to Install, press Next.
> 19.In Installing Packages, the file system will be formatted.  Packages
> will be copied to the hard disk.  When prompted, insert Red Hat Linux Disk
> Two into the CD-ROM drive and press Ok.
> 20.In Boot Disk Creation, insert a blank floppy disk into the floppy drive
> and press Next.  The boot disk will be created.
> 21.In Congratulations, remove the floppy disk from the drive.  Label this
> "BOOT FLOPPY" and do not lose it.  Press Exit.
> 22.The system will shut down and the CD-ROM will eject.  IMMEDIATELY remove
> the CD-ROM from the drive.
> 23.Lilo will show.  You do not need to press Enter for Linux to boot.
> 24.Linux boot messages will show.  Services will start, and network
> interfaces will start. When "Red Hat Linux release 7.1 (Seawolf)" appears
> on screen, you may continue.
> Updating Linux with post-release fixes
> 25.Log in as root.
> 26.Insert the Project CD-ROM into the CD-ROM drive.
> 27.Mount the CD-ROM by typing mount /mnt/cdrom
> 28.Switch to the updates folder of the CD-ROM by typing cd
> /mnt/cdrom/updates 29.Type rpm -Uvh gcc/libstdc++-2.96-85.i386.rpm
> gcc/libstdc++-devel-2.96-85.i386.rpm and press Enter.
> 30.Type rpm -Uvh gnupg/gnupg-1.0.6-1.i386.rpm and press Enter.
> 31.Type rpm -Uvh mount/losetup-2.11b-3.i386.rpm
> mount/mount-2.11b-3.i386.rpm and press Enter.
> 32.Type  rpm -Uvh xinetd/xinetd-2.3.0-1.71.i386.rpm and press Enter.
> 33.Type cat /etc/lilo.conf and look for the section that starts with
> image=/boot/vmlinuz-2.4.2-2 . This indicates which hard disk partition
> Linux is installed on.  Make a note of the line that begins with root= . 
> For example, root=/dev/hda2 .
> 34.Type rpm -ivh kernel/i686/kernel-enterprise-2.4.3-12.i686.rpm and press
> Enter.
> 35.Type vi /etc/lilo.conf and press Enter.
> 36.Move the cursor down to the end of the file and press a.  Type the
> following lines below, replacing /dev/hdaXX with the value you determined
> in step 33.
> image = /boot/vmlinuz-2.4.3-12
>   label = linux
>   root = /dev/hdaXX
> 37.Find the section that begins with  image=/boot/vmlinuz-2.4.2-2 . Move
> the cursor down to the line that says label = linux .  Modify this line to
> read label = linux.old .
> 38.Press the Escape key, type :w and press Enter.  Type :q and press Enter.
> 39.Type lilo -v and press Enter.
> 40.Type cd and press Enter.
> 41.Type umount mnt/cdrom and press Enter.  You do not need to remove the
> CD-ROM from the CD-ROM drive.
> 42.Type cd and press Enter.
> 43.Type source .bash_profile and press Enter.
> 44.Type shutdown now -r and press Enter.  The server will reboot.
> 45.The Lilo screen will be shown with two choices - linux and linux old. 
> You do not need to press Enter for the boot sequence to continue.
> 46.Once again, log in as root.
> 47.Type mkbootdisk --device /dev/fd0 2.4.3-12 and press Enter.  Press Enter
> a second time.  This updates the boot disk with information about the new
> kernel.  Label this disk as (servername) Boot Disk
> Installing Bastille
> 48.Mount the CD-ROM with the command mount /mnt/cdrom .  Press Enter.
> 49.Type cd /mnt/cdrom/Bastille/ and press Enter.
> 50.Type rpm --nodeps -ivh perl-Curses-1.05-2mdk.i586.rpm and press Enter.
> 51.Type rpm -ivh Bastille-1.2.0-1.1mdk.noarch.rpm
> Bastille-Curses-module-1.2.0-1.1mdk.noarch.rpm and press Enter.
> Compiling & Installing OpenSSL libraries
> 52.Type cp /mnt/cdrom/openssl/openssl-0.9.6b.tar.gz /usr/src and press
> Enter. 53.Type cd /usr/src and press Enter.
> 54.Type tar -xzvf openssl-0.9.6b.tar.gz  and press Enter.
> 55.Type cd /openssl-0.9.6b and press Enter.
> 56.Type ./config --prefix=/usr --openssldir=/usr/lib/ssl and press Enter.
> 57.Type make -f Makefile.ssl all and press Enter.
> 58.Type make -f Makefile.ssl install and press Enter.
> Compiling & Installing Cyrus SASL libraries
> 59.Type cp /mnt/cdrom/cyrus/cyrus-sasl-1.5.24.tar.gz /usr/src and press
> Enter. 60.Type cd and press Enter.
> 61.Type umount /mnt/cdrom and press Enter.  You should eject the CD-ROM
> from the CD-ROM drive.
> 62.Type cd /usr/src and press Enter.
> 63.Type tar -xzvf cyrus-sasl-1.5.24.tar.gz and press Enter.
> 64.Type cd cyrus-sasl-1.5.24 and press Enter.
> 65.Type ./configure --enable-plain --disable-krb4 and press Enter.
> 66.Type make and press Enter.
> 67.Type make install and press Enter.
> 68.Type ln /usr/lib/sasl /usr/local/lib/sasl -d and press Enter.
> 19.Type linuxconf and press Enter.
> 20.A welcome screen will appear.  Press Quit (this is not intuitive).
> 21.Using the cursor keys, select Config - Networking - Client Tasks and
> press Enter.  Select Host Name and IP Network Devices and press Enter.
> 22.In the "Host Name and Domain" field, input the appropriate server host
> name (if it's not already there).
> 23.Press Accept (use either the mouse or the tab key).
> 24.Press Dismiss.
> 25.Press Quit.  When prompted, press Do It.
> 69.Type saslpasswd -c LDAProot and press Enter.  When prompted, enter the
> password for LDAProot and press Enter.
> 70.Type sasldblistusers and press Enter.  The output should be as follows:
> user: LDAProot realm: server.company.com mech: DIGEST-MD5
> user: LDAProot realm: server.company.com mech: PLAIN
> user: LDAProot realm: server.company.com mech: CRAM-MD5
> (where server should be equal to the server name).
> Compiling & Installing OpenLDAP
> 71.Type cd../OpenLDAP and press Enter.
> 72.Type cp openldap-stable-20010524.tgz /usr/src and press Enter.
> 73.Type cd /usr/src and press Enter.
> 74.Type tar -xzvf openldap-stable-20010524.tgz and press Enter.
> 75.Type cd openldap-2.0.11/ and press Enter.
> 76.Type ./configure --with-cyrus-sasl --enable-spasswd and press Enter.
> 77.The last line of the output should read Please "make depend" to build
> dependencies.
> 78.Type make depend and press Enter.
> 79.Type make and press Enter.
> 80.Type make test and press Enter.  This verifies that the software has
> compiled correctly.
> 81.Type make install and press Enter.
>
> ---The contents of slapd.conf---
>
> Please note: this is the slapd.conf from the backup LDAP server.  The
> primary LDAP server has the "replica host" lines uncommented, and the
> "updatedn" / "updateref" lines commented out.
>
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
> 23:32:43 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
>
> sasl-host	server.company.com
> sasl-realm	company.COM
>
> include		/usr/local/etc/openldap/schema/core.schema
> include		/usr/local/etc/openldap/schema/cosine.schema
> include		/usr/local/etc/openldap/schema/inetorgperson.schema
> include		/usr/local/etc/openldap/schema/local.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral	ldap://root.openldap.org
>
> pidfile		/usr/local/var/slapd.pid
> argsfile	/usr/local/var/slapd.args
>
> # Load dynamic backend modules:
> # modulepath	/usr/local/libexec/openldap
> # moduleload	back_ldap.la
> # moduleload	back_ldbm.la
> # moduleload	back_passwd.la
> # moduleload	back_shell.la
>
> #LDAP_Version_3
> loglevel 0
> idletimeout 30
> sizelimit 100
> timelimit 120
> defaultsearchbase "dc=company,dc=com"
> schemacheck on
>
> #######################################################################
> # ldbm database definitions
> #######################################################################
>
> database	ldbm
> ## REPLICATION OPTIONS
> #replica host=server.company.com:389
> #	bindmethod=simple
> #	binddn="cn=LDAProot,dc=company,dc=com"
> #	credentials=password
> updatedn "cn=LDAProot,dc=company,dc=com"
> updateref "ldap://ldap.company.com";
>
> replogfile	/usr/local/etc/openldap/replog/replog.log
> lastmod		off
>
> suffix		"dc=company,dc=com"
> rootdn		"cn=LDAProot,dc=company,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw		{SASL}LDAProot
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd/tools. Mode 700 recommended.
> directory	/usr/local/var/openldap-ldbm
> # Indices to maintain
>
> index	objectClass				eq,pres
> index	uid					eq
>
> index	cn					eq,sub
> index	mail					eq,pres,sub
> index	givenName				eq,sub
> index	sn					eq,sub
> index	o					eq,sub
>
> #ldbm access control definitions
> access to attr=userPassword
> 	by dn="cn=LDAPRoot, dc=company, dc=com" write
> 	by * none
>
> access to *
> 	by anonymous read
> 	by dn="cn=LDAPRoot, dc=company, dc=com" write
>
> dbnolocking
> dbnosync
> cachesize 10000
> dbcachesize 100000
>
>
> I look forward to any responses.
>
>
> Kayne McGladrey
> k.mcgladrey@worldnet.att.net