[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Fw: on SASL
Turbo Fredriksson wanted us to know:
>http://www.bayour.com/LDAPv3-HOWTO.html
Very impressive piece of work. I have some questions though. I am
working on a Mandrake 8.1 box. Cyrus-SASL with the libraries for
digest-md5, plain, and cram-md5 are installed (Mandrake makes each a
seperate rpm, dunno if others do that).
This ties LDAP + TLS + SASL + Kerberos together to get LDAP v3.
According to documentation that I've found on the web, I should be
able to get secure replication using just SASL. Is that correct? Even
if it's not correct, I should still be able to get SASL working
properly.
Now, I know that the following does not work. What I'm looking for is
pointers as to why. In the master ldap config file, I define three
replicas. The first is a simple bind and it works well. The second is
a simple bind to an alternate port and it works well. The third is my
attempt to use SASL and it's failing. Does anything look obviously
wrong?
Works:
replogfile /var/log/ldap/replicate-Grand.log
replica host=gteshome:389
<snip>
replogfile /var/log/ldap/replicate-District2.log
replica host=gteshome:50389
<snip>
Doesn't work:
replogfile /var/log/ldap/replicate-District3.log
replica host=gteshome:53389
suffix="ou=District3,o=mrball,c=US"
bindmethod=sasl
binddn="uid=tlyons.mrball.net"
saslmech=DIGEST-MD5
authcId="tlyons.mrball.net"
authzId="tlyons.mrball.net"
realm="gteshome.mrball.net"
credentials="todd"
In the config file for the slave ldap server for port 53389, I have:
updatedn "UID=TLYONS.MRBALL.NET+REALM=GTESHOME.MRBALL.NET"
In all documentation that I've seen, it's always all caps like this.
Why? When I create my SASL users, it is case-sensitve. I assume that
means it's important. I did try it all lowercase, but it didn't work
either.
For ACL's, I have:
access to attrs=userPassword,lmpassword,ntpassword
by self write
by dn="UID=TLYONS.MRBALL.NET" write
by * none
access to *
by self read
by dn="UID=TLYONS.MRBALL.NET" write
by * search
[root@gteshome root]# sasldblistusers
user: tlyons.mrball.net realm: gteshome.mrball.net mech: DIGEST-MD5
user: tlyons.mrball.net realm: gteshome.mrball.net mech: PLAIN
user: tlyons.mrball.net realm: gteshome.mrball.net mech: CRAM-MD5
These were created with:
[root@gteshome root]# echo "todd" | saslpasswd -p -a slapd -u gteshome.mrball.net tlyons.mrball.net
There was some confusion on my part if I had to create these users with
"-a slapd" or "-a ldap" or just blank, which should default to "-a sasl".
I figured that out by stracing it :) It also was inferred that the
entries in the SASL db needed to be lower-case. Is that correct? I have
a /usr/lib/sasl/sasl.conf, ldap.conf, and slapd.conf, all three of which
have had various incarnations of:
pwcheck_method: sasldb
OR
pwcheck_method: sasl
OR
pwcheck_method: digest
OR
pwcheck_method: DIGEST-MD5
and a few others. Do any of them look right? Remember, I'm just trying
to use SASL.
If I have some basic misunderstandings of SASL, please put me on the
path to enlightenment. In the meantime, I'm studying your HowTo.
--
Blue skies... Todd
| Get a bigger hammer! | All vendors suck, but different ones |
| http://www.mrball.net | suck less in different applications. |
| http://faq.mrball.net | --Andy Walden on NANOG |