[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP authenticaton against PAM how-to



Emmanuel Dreyfus wrote:
On Fri, Feb 09, 2007 at 01:15:47AM -0800, Howard Chu wrote:
I wouldn't expect to find much documentation on this topic because in general it's the wrong thing to do. What distributed authentication system do you use that is supported by pam but is not supported directly by LDAP or SASL?

Radius. I'm aware that 2.4 fills that gap, but I don't want to use alpha software in production

That's fair.

(In fact, I was not even able to build it)

But you should send feedback about what specific problems you encountered, otherwise things will never improve.


These steps are only needed if you're going to use plaintext passwords in SASL Binds, and yet you only show the use of Simple Binds here.

Sure, that's just what I was looking for. I found no doc explaining how to do it, that's why I post it there, with the hope it could help someone else (or even myself in a few months).

I could not even find a place where it is said that userPassword should
be {SASL} followed by the login.

The use of this mechanism is not recommended. We don't document deprecated mechanisms.


NB2: slapd logs in /var/log/slapd.conf, the error messages are usually
meaningless, especially for ACL and SASL troubles.
The log messages are meaningful, you just don't understand them. Your ignorance does not indicate a fault in the software.

I expected to be flammed for that one. I just tell you about my frustration working with some OpenLDAP areas. You can choose to call user feedbacks ignorance and ignore them, it's up to you.

That was not a flame, just a statement of fact. The same as if the messages were written in Greek and you didn't know how to read Greek. If you don't know the language, you're in no position to judge if it is meaningful or not.


Back on ACL logs: Point me to the document that explains how to parse that pack of nonsense, and I might consider them meaniningful. For now, my opinion is that the ACL log output is just useless for the average administrator. Where is the information such that what ACL matched, or for what value an ACL clause is evaluated?

Show us your ACL configuration, a sample operation, and the logs that are produced.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/