[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL and slurpd



Hello,

IT'S NOW WORKING.  AFTER 92 HOURS OF WORK, IT'S WORKING CORRECTLY.

I will post a how-to to this mailing list as soon as I've tested the
configuration and finished the documentation.


Kayne McGladrey
kaymcg@safeco.com 


-----Original Message-----
From: MCGLADREY, KAYNE A [mailto:KAYMCG@SAFECO.com]
Sent: Thursday, September 27, 2001 10:36 AM
To: Openldap-Software (E-mail)
Subject: SASL and slurpd


Hello everyone,

I am now 15 hours into the saga of installing OpenLDAP 2.0.11 on FreeBSD
4.3. Thanks to everyone who assisted in compiling the software - two typos
were to blame.  The successful sequence was:
1.Type env CPPFLAGS="-I/usr/local/include/sasl" LDFLAGS="-L/usr/local/lib
-L/usr/local/lib/sasl" ./configure --enable-login --disable-krb4
--disable-gssapi --with-des=/usr/include/openssl/ --without-kerberos
--disable-kpasswd --with-cyrus-sasl-includes=/usr/local/include/sasl/
--with-cyrus-sasl-libraries=/usr/local/lib/sasl/ and press Enter.
2.Type make depend and press Enter.
3.Type make and press Enter.
4.Type make install and press Enter.

However, I am now faced with the same issue I faced for 75 hours on Linux.
Presuming that this is the correct command to include SASL support, I would
like to use SASL authentication to secure the user name & password during
replication.  Data can travel over the wire in plain text.  I would IDEALLY
like to use MD5 to handle the SASL encryption.  However, as this email
states, none of the available methods (PLAIN, LOGIN, MD5) are working.

I have two servers, one running Red Hat 7.1 and one running FreeBSD 4.3.
Typing ldapsearch -d 2 on either server indicates that PLAIN and LOGIN are
supportedSASLMechnanisms.

To begin replication, I type the following command on the server:
/usr/local/libexec/slurpd -d 255

slurpd reads the configuration file without error and starts looking at the
replication log. Here is the output that concerns me:
Initializing session to jarrett.safeco.com:389
ldap_create
bind to jarrett.safeco.com as REPL.LDAP.SAFECO.COM via LOGIN (SASL)
ldap_interactive_sasl_bind_s: user selected: LOGIN
ldap_int_sasl_bind: LOGIN
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 8 tm: -1 async: 0
ldap_ndelay_on: 8
ldap_is_sock_ready: 8
ldap_ndelay_off: 8
ldap_int_sasl_open: jarrett.safeco.com
ldap_err2string
Error: LDAP SASL for jarrett.safeco.com:389 failed: Unknown authentication
method
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 8
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_write: want=7, written=7
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_free_connection: actually freed

> > > At this point, I press CTRL-C after waiting for five minutes with no
apparent processing occurring.

Retrying operation for DN uid=roman_g,ou=Distributors,dc=safeco,dc=com on
replica jarrett.safeco.com:389
end replication thread for jarrett.safeco.com:389
fm: exiting
slurpd: terminated.

Based on this output, it appears that the wrong user name is being passed.
Here is the relevant section of slapd.conf from the server:
## REPLICATION OPTIONS
replica host=jarrett.safeco.com:389
        binddn="uid=REPL.LDAP.SAFECO.COM"
        bindmethod=sasl
        saslmech=LOGIN
> > > NOTE: I've also tried "PLAIN" and "MD5".  Neither works. < < <
        authcID="REPL.LDAP.SAFECO.COM"
        authzID="REPL.LDAP.SAFECO.COM"
        realm=safeco.com
        credentials="password"

And from the backup server:
updatedn        "UID=REPL.LDAP.SAFECO.COM+REALM=JARRETT.SAFECO.COM"
updateref       ldap://ldap.safeco.com

And from the command sasldblistusers (also on the backup server):
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: PLAIN
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: CRAM-MD5
user: REPL.LDAP.SAFECO.COM realm: jarrett.safeco.com mech: DIGEST-MD5

Finally, here's the /usr/local/lib/sasl/slapd.conf (on the backup):
pwcheck_method: sasldb

Thank you for reading to the bottom of this rather comprehensive email.  If
you have a suggestion on how to make SASL work with OpenLDAP, please contact
me.
I will state again, for the record, that the following "suggestions" aren't
much help:
* "Check the archives for hints!"
* "Read the manpage for slapd.conf"
* "Check to see if the sample-client and sample-server with SASL are
working"
* "http://www.bayour.com/LDAPv3-HOWTO.html"; - this last one introduces WAY
too many variables, i.e. kerberos.  It's a great how-to, but it doesn't help
if you're trying to get _JUST_ SASL working.

Thanks in advance to those who reply,


Kayne McGladrey
kaymcg@safeco.com