[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication



Hi Dan,

Thanks so much for your help.  I'm getting closer.

The ldapwhoami seems to work now.

erik@starfish:~/ldif$ ldapwhoami -U erik -H ldaps://localhost/
SASL/PLAIN authentication started
Please enter your password:
SASL username: erik
SASL SSF: 0
dn:uid=erik,cn=plain,cn=auth
erik@starfish:~/ldif$

I can also run an ldapsearch to list the contents of my database:

erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b
'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/
-W -Y plain
Enter LDAP Password:
SASL/PLAIN authentication started
SASL username: erik
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <ou=people, dc=lotspeich,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# people, lotspeich.org
dn: ou=people,dc=lotspeich,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people
.
. *** DATA OMITTED! ***
.
# search result
search: 2
result: 0 Success

# numResponses: 136
# numEntries: 135

I have two questions/concerns:

1. If I leave the "-Y plain" option off of the argument list to
ldapsearch, I get "Invalid credentials":

erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b
'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
erik@starfish:~/ldif$

I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried
adding one for ldapsearch:

root@starfish:/usr/lib/sasl2# cat ldapsearch.conf
pwcheck_method: saslauthd
mech_list: plain

This didn't seem to make a difference in allowing me to authenticate
without the "-Y" option.

2. I would like to use authenticated LDAP in Thunderbird.  I set
uid=erik,cn=plain,cn=auth as my Bind DN.  It asked for my password, but
always returned 'authentication failed'.

I don't know if #1 or #2 are related.  I know I must be missing
something.  From what I understand (which isn't much), I'm not using
simple bind, so I don't need the mappings in my configuration file that
you mentioned previously.

Regards,

Erik

Dan White wrote:
> On 29/09/10 10:19 -0500, Erik Lotspeich wrote:
>> Hi Dan,
>>
>> I hope that I don't mind if I ask a follow-up question:
>>
>> root@starfish:/usr/local/etc/openldap# testsaslauthd -u erik -p XXX -s
>> slapd
>> 0: OK "Success."
>>
>> That works, but when I run ldapwhami, it doesn't:
>>
>> root@starfish:/usr/local/etc/openldap# ldapwhoami -Y login -U erik -H
>> ldap://localhost
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>        additional info: SASL(-4): no mechanism available: No worthy
>> mechs found
>>
>> I did a search on the internet, and I ran this command:
>>
>> root@starfish:/usr/local/etc/openldap# ldapsearch -x -ZZ -s base -b ""
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope baseObject
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> #
>> dn:
>> objectClass: top
>> objectClass: OpenLDAProotDSE
>>
>> # search result
>> search: 3
>> result: 0 Success
>>
>> In other examples I've seen, mechanisms such as PLAIN or LOGIN or listed
>> here.
> 
> Make sure you have the appropriate sasl shared libraries installed on both
> your server and your client (which appears to be the same according to your
> examples from above).  Use plugingview/saslpluginviewer to see which
> server/client mechanisms you do have installed.
> 
> For instance, on a Debian system you'd need to have the libsasl2-modules
> package.
> 
> If you do have those mechanisms installed but are still not seeing them in
> the '-s base -b ""' search, make sure you've added 'sasl-secprops none' to
> your openldap slapd.conf.
>