Re: SOLVED saslmech=EXTERNAL

To: openldap-software@openldap.org

Subject: Re: SOLVED saslmech=EXTERNAL

From: Greek Ordono <grexk@yahoo.com>

Date: Fri, 17 Jul 2009 20:53:39 -0700 (PDT)

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1247889219; bh=lnYxM4oJ9hjyRSi1+xxCfn17NO1Xtgp5Eddo+rQMfIA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=a6c/2DaOQRfeix8KUo3j4yM18iSXu3fbNAuPZAW5wueB+Ompxcu4Vjwj0og8dsR+4CkzSfxWFNOHX53RKpCHZNmJAid+OJL/QraQjBGu4TsmqUhtX0wgR4H2X0Y6mxOrWWm9IlWq2ykrCklVNYMjL/RFTbEVuakpntmIsbc3Co0=

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HuBDJycpLKn/LYf5YlHyeLaq7YBvE22rDIoG7B54vWumqN/LzZJWUrGT83KF+DIUvQLI0Td+HU1NQwHdfXwcxIXHTwAorf13F8rfldMw7922pIsAWt0dD/rK23fhG5r8nG8i7igPEmT9wAJqdBrFSqnWltHrWPS1SaB0rKPSv3Y=;

Hi,

After series of trial and error I finally get it working. The following configuration
works for openldap-2.4.16:

overlay chain
chain-uri "ldap://server.group"
#chain-uri "ldaps:///server.group" - not working at all[1]?
chain-idassert-bind bindmethod=sasl
        saslmech=EXTERNAL
        binddn="cn=whatever"
        #starttls=yes/critical - even this?
        tls_cert=/etc/ldap/ssl/replicator-cert.pem
        tls_key=/etc/ldap/ssl/replicator-key.pem
        tls_cacert=/etc/ssl/certs/mgoc-cacert.pem
        tls_reqcert=demand
        mode=self
chain-tls start
chain-idassert-authzFrom "*"
chain-return-error         TRUE

$ ldappasswd -x -D 'uid=guest,ou=users,dc=server,dc=group' -w1234 -sguest

from the master you may something like this one:

Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 PROXYAUTHZ dn="uid=guest,ou=users,dc=server,dc=group"
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 PASSMOD new
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 RESULT oid= err=0 text=

on the slave:

Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 BIND dn="uid=guest,ou=users,dc=server,dc=group" method=128
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 BIND dn="uid=guest,ou=Users,dc=server,dc=group" mech=SIMPLE ssf=0
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 RESULT tag=97 err=0 text=
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 PASSMOD new
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 RESULT oid= err=0 text=

Thanks for all the people that tried to help me.

[1] http://www.openldap.org/lists/openldap-software/200808/msg00012.html
--
Greek Ordono
myppa: launchpad.net/~grexk/+archive/ppa

--- On Sat, 7/18/09, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

From: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: saslmech=EXTERNAL
To: "Greek Ordono" <grexk@yahoo.com>, ghenry@suretecsystems.com
Cc: openldap-software@openldap.org
Date: Saturday, July 18, 2009, 7:26 AM

--On Friday, July 17, 2009 5:44 PM -0700 Greek Ordono <grexk@yahoo.com>
wrote:

>
> Hi,
>
> What I'm trying to do is change the password[1] of user guest to see if
> my chain overlay will work with saslmech=external. Referring from this
> email[2] this should be working. But I'm a bit I confused cause I can't
> get this working while my syncrepl is working well. TIA

As I said, by using the "-x" mechanism, you are completely disabling SASL.
Thus no SASL/EXTERNAL method is going to work.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration