[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL and slurpd
Hello everyone,
I am now 15 hours into the saga of installing OpenLDAP 2.0.11 on FreeBSD
4.3. Thanks to everyone who assisted in compiling the software - two typos
were to blame. The successful sequence was:
1.Type env CPPFLAGS="-I/usr/local/include/sasl" LDFLAGS="-L/usr/local/lib
-L/usr/local/lib/sasl" ./configure --enable-login --disable-krb4
--disable-gssapi --with-des=/usr/include/openssl/ --without-kerberos
--disable-kpasswd --with-cyrus-sasl-includes=/usr/local/include/sasl/
--with-cyrus-sasl-libraries=/usr/local/lib/sasl/ and press Enter.
2.Type make depend and press Enter.
3.Type make and press Enter.
4.Type make install and press Enter.
However, I am now faced with the same issue I faced for 75 hours on Linux.
Presuming that this is the correct command to include SASL support, I would
like to use SASL authentication to secure the user name & password during
replication. Data can travel over the wire in plain text. I would IDEALLY
like to use MD5 to handle the SASL encryption. However, as this email
states, none of the available methods (PLAIN, LOGIN, MD5) are working.
I have two servers, one running Red Hat 7.1 and one running FreeBSD 4.3.
Typing ldapsearch -d 2 on either server indicates that PLAIN and LOGIN are
supportedSASLMechnanisms.
To begin replication, I type the following command on the server:
/usr/local/libexec/slurpd -d 255
slurpd reads the configuration file without error and starts looking at the
replication log. Here is the output that concerns me:
Initializing session to jarrett.safeco.com:389
ldap_create
bind to jarrett.safeco.com as REPL.LDAP.SAFECO.COM via LOGIN (SASL)
ldap_interactive_sasl_bind_s: user selected: LOGIN
ldap_int_sasl_bind: LOGIN
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
ldap_int_sasl_open: jarrett.safeco.com
ldap_err2string
Error: LDAP SASL for jarrett.safeco.com:389 failed: Unknown authentication
method
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 8
0000: 30 05 02 01 01 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 01 42 00 0....B.
ldap_free_connection: actually freed
> > > At this point, I press CTRL-C after waiting for five minutes with no
apparent processing occurring.
Retrying operation for DN uid=roman_g,ou=Distributors,dc=safeco,dc=com on
replica jarrett.safeco.com:389
end replication thread for jarrett.safeco.com:389
fm: exiting
slurpd: terminated.
Based on this output, it appears that the wrong user name is being passed.
Here is the relevant section of slapd.conf from the server:
## REPLICATION OPTIONS
replica host=jarrett.safeco.com:389
binddn="uid=REPL.LDAP.SAFECO.COM"
bindmethod=sasl
saslmech=LOGIN
> > > NOTE: I've also tried "PLAIN" and "MD5". Neither works. < < <
authcID="REPL.LDAP.SAFECO.COM"
authzID="REPL.LDAP.SAFECO.COM"
realm=safeco.com
credentials="password"
And from the backup server:
updatedn "UID=REPL.LDAP.SAFECO.COM+REALM=JARRETT.SAFECO.COM"
updateref ldap://ldap.safeco.com
And from the command sasldblistusers (also on the backup server):
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: PLAIN
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: CRAM-MD5
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: DIGEST-MD5
Finally, here's the /usr/local/lib/sasl/slapd.conf (on the backup):
pwcheck_method: sasldb
Thank you for reading to the bottom of this rather comprehensive email. If
you have a suggestion on how to make SASL work with OpenLDAP, please contact
me.
I will state again, for the record, that the following "suggestions" aren't
much help:
* "Check the archives for hints!"
* "Read the manpage for slapd.conf"
* "Check to see if the sample-client and sample-server with SASL are
working"
* "http://www.bayour.com/LDAPv3-HOWTO.html" - this last one introduces WAY
too many variables, i.e. kerberos. It's a great how-to, but it doesn't help
if you're trying to get _JUST_ SASL working.
Thanks in advance to those who reply,
Kayne McGladrey
kaymcg@safeco.com