[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL replication - the continuing saga
Have you gotten authentication working using the sample Cyrus
SASL client and server? This is a very important first step.
If it doesn't work there, it won't work in OpenLDAP. I suggest
you sort out your DIGEST-MD5 problems there before trying to
tackle OpenLDAP specific configuration.
At 06:45 AM 2001-08-29, Kayne McGladrey wrote:
>Hello everyone,
>
>I'm continuing my effort to successfully configure OpenLDAP and SASL. This
>effort has thus far taken 40 hours of my time. I'm doing this in the hopes
>that I will be able to have OpenLDAP replication use SASL authentication.
>
>I had previously not been able to have the supportedSASLMechanisms attribute
>report anything. After some further experimentation with SASL-SECPROPS and
>SECURITY in slapd.conf, and /usr/lib/sasl/slapd.conf, it now reports PLAIN
>and LOGIN. I can't get it to recognize DIGEST-MD5, which is what I'm hoping
>to have it use.
>
>As this is progress, I thought I'd try to use either PLAIN or LOGIN for
>authentication. This DOES NOT work. I'm specifically concerned with these
>lines in the slurpd output:
>
> bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
> ldap_interactive_sasl_bind_s: user selected: PLAIN
> ldap_int_sasl_bind: PLAIN
>
>The "user selected: PLAIN" is either a poorly-written debug message or in
>error. The user I've specified is repl.ldap.company.com.
>
>Any assistance would be greatly appreciated. I hope to consolidate my efforts
>into a FAQ or installation guide. This seems to be the most frequently asked
>question on the list.
>
>I'm including full output from the relevant items (ldapsearch,
>sasldblistusers, slurpd, slapd.conf).
>
>--- ldapsearch on server ---
>[root@ldap openldap-2.0.11]# ldapsearch -x -b "" -s base -LLL
>supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: LOGIN
>
>--- ldapsearch on backup ---
>[root@backup /root]# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: LOGIN
>
>--- sasldblistusers on backup ---
>[root@backup /root]# sasldblistusers
>user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: PLAIN
>user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: CRAM-MD5
>user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: DIGEST-MD5
>
>--- slurpd output ---
>[root@ldap openldap-2.0.11]# /usr/local/libexec/slurpd -d 255
>Config: opening config file "/usr/local/etc/openldap/slapd.conf"
>Config: (include /usr/local/etc/openldap/schema/core.schema)
>Config: (include /usr/local/etc/openldap/schema/cosine.schema)
>Config: (include
>/usr/local/etc/openldap/schema/inetorgperson.schema)
>Config: (include /usr/local/etc/openldap/schema/local.schema)
>Config: (pidfile /usr/local/var/slapd.pid)
>Config: (argsfile /usr/local/var/slapd.args)
>Config: (loglevel 0)
>Config: (idletimeout 30)
>Config: (sizelimit 100)
>Config: (timelimit 120)
>Config: (defaultsearchbase "dc=company,dc=com")
>Config: (schemacheck on)
>Config: (disallows bind_krbv4)
>Config: (sasl-secprops noanonymous minssf=112)
>Config: (security update_sasl=112 update_ssf=112)
>Config: (database ldbm)
>Config: (rootdn "cn=LDAProot,dc=company,dc=com")
>Config: (rootpw {crypt}papAq5PwY/QQM)
>Config: (suffix "dc=company,dc=com")
>Config: (replogfile /usr/local/etc/openldap/replog/replog.log)
>Config: (lastmod off)
>Config: (replica host=backup.company.com:389
>binddn="uid=repl.ldap.company.com" bindmethod=sasl saslmech=PLAIN
>authcID="repl.ldap.company.com" authzID="repl.ldap.company.com"
>realm=company.com credentials="password")
>Config: ** successfully added replica "backup.company.com:389"
>Config: (security update_ssf=112)
>Config: (directory /usr/local/var/openldap-ldbm)
>Config: (mode 0600)
>Config: (index objectClass eq,pres)
>Config: (index uid eq)
>Config: (index cn eq,sub)
>Config: (index mail eq,pres,sub)
>Config: (index givenName eq,sub)
>Config: (index sn eq,sub)
>Config: (index o eq,sub)
>Config: (access to attr=userPassword by dn="cn=LDAPRoot, dc=company,
>dc=com" write by * none)
>Config: (access to * by anonymous read by dn="cn=LDAPRoot,
>dc=company, dc=com" write)
>Config: (dbnolocking)
>Config: (dbnosync)
>Config: (cachesize 10000)
>Config: (dbcachesize 100000)
>Config: ** configuration file successfully read and parsed
>Retrieved state information for backup.company.com:389 (timestamp 997309400.0)
>begin replication thread for backup.company.com:389
>Replica backup.company.com:389, skip repl record for
>uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
>Initializing session to backup.company.com:389
>ldap_create
>bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
>ldap_interactive_sasl_bind_s: user selected: PLAIN
>ldap_int_sasl_bind: PLAIN
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host
>ldap_new_socket: 6
>ldap_prepare_socket: 6
>ldap_connect_to_host: Trying 192.168.1.2:389
>ldap_connect_timeout: fd: 6 tm: -1 async: 0
>ldap_ndelay_on: 6
>ldap_is_sock_ready: 6
>ldap_ndelay_off: 6
>ldap_int_sasl_open: backup.company.com
>ldap_err2string
>Error: LDAP SASL for backup.company.com:389 failed: Unknown authentication
>method
>ldap_unbind
>ldap_free_connection
>ldap_send_unbind
>ber_flush: 7 bytes to sd 6
> 0000: 30 05 02 01 01 42 00 0....B.
>ldap_write: want=7, written=7
> 0000: 30 05 02 01 01 42 00 0....B.
>ldap_free_connection: actually freed
>fm: exiting
>Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
>replica backup.company.com:389
>end replication thread for backup.company.com:389
>slurpd: terminated.
>
>--- slapd.conf on server
># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
>kurt Exp $
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include /usr/local/etc/openldap/schema/core.schema
>include /usr/local/etc/openldap/schema/cosine.schema
>include /usr/local/etc/openldap/schema/inetorgperson.schema
>include /usr/local/etc/openldap/schema/local.schema
>
>pidfile /usr/local/var/slapd.pid
>argsfile /usr/local/var/slapd.args
>
>loglevel 0
>idletimeout 30
>sizelimit 100
>timelimit 120
>defaultsearchbase "dc=company,dc=com"
>schemacheck on
>disallows bind_krbv4
>
>sasl-secprops noanonymous minssf=112
>security update_sasl=112 update_ssf=112
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database ldbm
>rootdn "cn=LDAProot,dc=company,dc=com"
>rootpw {crypt}papAq5PwY/QQM
>suffix "dc=company,dc=com"
>
>replogfile /usr/local/etc/openldap/replog/replog.log
>lastmod off
>
>## REPLICATION OPTIONS
>replica host=backup.company.com:389
> binddn="uid=repl.ldap.company.com"
> bindmethod=sasl
> saslmech=PLAIN
> authcID="repl.ldap.company.com"
> authzID="repl.ldap.company.com"
> realm=company.com
> credentials="password"
>
>security update_ssf=112
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd/tools. Mode 700 recommended.
>directory /usr/local/var/openldap-ldbm
>mode 0600
>
># Indices to maintain
>index objectClass eq,pres
>index uid eq
>
>index cn eq,sub
>index mail eq,pres,sub
>index givenName eq,sub
>index sn eq,sub
>index o eq,sub
>
>#ldbm access control definitions
>access to attr=userPassword
> by dn="cn=LDAPRoot, dc=company, dc=com" write
> by * none
>
>access to *
> by anonymous read
> by dn="cn=LDAPRoot, dc=company, dc=com" write
>
>dbnolocking
>dbnosync
>cachesize 10000
>dbcachesize 100000
>
>--- slapd.conf on backup ---
># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
>kurt Exp $
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>
>include /usr/local/etc/openldap/schema/core.schema
>include /usr/local/etc/openldap/schema/cosine.schema
>include /usr/local/etc/openldap/schema/inetorgperson.schema
>include /usr/local/etc/openldap/schema/local.schema
>
>pidfile /usr/local/var/slapd.pid
>argsfile /usr/local/var/slapd.args
>
>loglevel 0
>idletimeout 30
>sizelimit 100
>timelimit 120
>defaultsearchbase "dc=company,dc=com"
>schemacheck on
>disallows bind_krbv4
>
>sasl-secprops noanonymous minssf=112
>security update_sasl=112 update_ssf=112
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database ldbm
>rootdn "cn=LDAProot,dc=company,dc=com"
>rootpw {crypt}papAq5PwY/QQM
>suffix "dc=company,dc=com"
>
>updatedn "UID=REPL.LDAP.COMPANY.COM+REALM=BACKUP.COMPANY.COM"
>updateref ldap://ldap.company.com
>
>security update_ssf=112
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd/tools. Mode 700 recommended.
>directory /usr/local/var/openldap-ldbm
>mode 0600
>
># Indices to maintain
>index objectClass eq,pres
>index uid eq
>
>index cn eq,sub
>index mail eq,pres,sub
>index givenName eq,sub
>index sn eq,sub
>index o eq,sub
>
>#ldbm access control definitions
>access to attr=userPassword
> by dn="cn=LDAPRoot, dc=company, dc=com" write
> by * none
>
>access to *
> by anonymous read
> by dn="cn=LDAPRoot, dc=company, dc=com" write
>
>dbnolocking
>dbnosync
>cachesize 10000
>dbcachesize 100000