[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
sasl: : unable to get user's secret
I think this is appropriate to the OpenLDAP list, since the sasl sample
client / server test works:
[sstout:~] admin% cyrus-sasl-1.5.27/sample/.libs/client -s ldap
localhost
receiving capability list... recv: {35}
P L A I N D I G E S T - M D 5 C R A M - M D 5 A N O N Y M O U S
PLAIN DIGEST-MD5 CRAM-MD5 ANONYMOUS
send: {10}
D I G E S T - M D 5
send: {0}
recv: {157}
r e a l m = " s s t o u t " , n o n c e = " M F h 8 D o i / y W 4 t T w
b w o k a g v v h R Q d O 0 q z n b 0 M 5 h 8 4 f h w 7 g = " , q o
p = " a u t h , a u t h - i n t , a u t h - c o n f " , c i p h e r = "
r c 4 - 4 0 , r c 4 - 5 6 , r c 4 " , c h a r s e t = u t f - 8 , a l g
o r i t h m = m d 5 - s e s s
please enter an authorization id: LDAPAdmin
please enter an authentication id: LDAPAdmin
Password:
send: {265}
u s e r n a m e = " L D A P A d m i n " , r e a l m = " s s t o u t " ,
n o n c e = " M F h 8 D o i / y W 4 t T w b w o k a g v v h R Q d O 0 q
z n b 0 M 5 h 8 4 f h w 7 g = " , c n o n c e = " P Q A M u L V 8 F 8 1
7 H 0 N C Z w E K 6 F r 2 R c F 2 2 b I W I J U r 5 q s M g + k = " , n
c = 0 0 0 0 0 0 0 1 , q o p = a u t h - c o n f , c i p h e r = " r c
4 " , c h a r s e t = u t f - 8 , d i g e s t - u r i = " l d a p / l o
c a l h o s t " , r e s p o n s e = 1 c 0 7 2 f c a d d 1 9 1 2 b d 8 0
0 0 2 b a 9 8 3 b 4 f 8 7 7
recv: {40}
r s p a u t h = 6 1 a 5 2 c 3 4 3 5 c 4 e 7 5 6 d c 3 e 7 e 4 c c 1 4 4
3 0 0 9
send: {0}
successful authentication
closing connection
user has a valid entry in sasldb:
[sstout:~/cyrus-sasl-1.5.27] admin% sudo sasldblistusers | grep
LDAPAdmin
user: LDAPAdmin realm: sstout mech: PLAIN
user: LDAPAdmin realm: sstout mech: CRAM-MD5
user: LDAPAdmin realm: sstout mech: DIGEST-MD5
slapd.conf /looks/ right:
[sstout:~/cyrus-sasl-1.5.27] admin% sudo cat
/usr/local/etc/openldap/slapd.conf | grep sasl
sasl-realm sstout
sasl-host localhost
sasl-secprops none
and
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=coloradobiz,dc=net"
#suffix "o=My Organization Name,c=US"
rootdn "cn=LDAPAdmin,dc=coloradobiz,dc=net"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SASL}LDAPAdmin
finally:
[sstout:~/cyrus-sasl-1.5.27] admin% cat /usr/lib/sasl/slapd.conf
pwcheck_method: sasldb
This is a testing, non-deployed environment, so everything is running /
owned by root.
...And ldap knows about its sasl capabilities:
[sstout:~] admin% ldapsearch -H ldap://localhost -x -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS
Yet:
[sstout:~] admin% ldapadd -v -h localhost -D
"cn=LDAPAdmin,dc=coloroadobiz,dc=net" -f base.ldif
ldap_init( localhost, 0 )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Unknown error
additional info: unable to get user's secret
..This (or something close) worked yesterday- I rebuilt all components
today, following the instructions I built in order to get it all working
before. Apparently I left out a step somewhere, though.
ideas?
http://www.4am-media.com
Mac OS X Consulting and Training
Michael Bartosh
mbartosh@4am-media.com
303.517.0272
Denver, CO
"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."
- -- Nietzsche
Think Different.