On Fri, 2007-10-26 at 19:59 -0700, Quanah Gibson-Mount wrote:
ldapsearch -ZZ -U "openldap" -b "dc=pwd,dc=lubemobile,dc=com,dc=au" "(uid=it)" ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: SASL confidentiality required
Is that a bug?
I suggest reading the part on sasl-secprops in the slapd.conf (5) man page. It notes that the default is to setting is to block anonymous and plain SASL binds.
I suspect you are right in that is the cause of the problem because a -Y DIGEST-MD5 fixes it. But, as I said, it worked before the security option was added. It worked because DIGEST-MD5 was the default. So why isn't it the default now?
Now that you have pointed it out, I guess that the addition of the 'security' option prevented SASL from searching dn="" for the types of authentications supported.
access to userPassword by users read sasl_ssf=128 break by users read tls=128
I think might do it.
You would think that would do it - certainly I did. But you would be wrong. Currently it doesn't, and that is what this ITS is about. The patch I supplied with the initial bug report changes things so it does work.