[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: BINDDN in ~/.ldaprc ignored(?)





On 02/09/2016 03:41 PM, Dan White wrote:
On 02/09/16 10:28 +0100, Frank Thommen wrote:
BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong.

/etc/openldap/ldap.conf is empty.

~/.ldaprc is:

$ cat ~/.ldaprc
BINDDN      <myBindDN>
BASE        <myBaseDN>
URI         ldaps://<myLDAPServer>
TLS_REQCERT never
$


ldapsearch returns an error if I don't declare the bindDN on the
commandline:

$ ldapsearch -W -v cn=xyz
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No Kerberos
credentials available)
$

For SASL binds, specify SASL_AUTHCID instead; however this option will be
ignored by the sasl library for GSSAPI binds, in which case SASL_AUTHZID
may be used if you need to specify an authz identity.

Thanks. But even after reading through a dozen different webpages and documentations I still don't understand how a SASL_AUTHCID or SASL_AUTHZID looks like and from where I get the appropriate information.


For non-sasl binds, specify '-x' on your command line, which does make use
of BINDDN.

yes, that works fine. Maybe it should be made clearer in the manpage, that BINDDN does not apply (?) when not using simple authentication?

frank