I had set up a secured TLS with all the certificates and keys needed. But still, I cannot login using SASL and PLAIN/LOGIN mechanisms over TLS. The user in the example has the userPassword hashed in MD5. See errors below:
ldapsearch -h localhost:9999 -Y PLAIN -w pass1 -U user1 -b
dc=my-domain,dc=com -s base -ZZ SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
ldapsearch -h localhost:9999 -Y LOGIN -w pass1 -U user1 -b
dc=my-domain,dc=com -s base -ZZ SASL/LOGIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: checkpass failed
Using cleartext password solves the problem but this is not what I am trying to do. Just a reminder of what I am trying to achieve: In the database I want the userPassword field to be hashed and the bind authentication will be against it using the authz-regexp directive in slapd.conf. Using DIGEST-MD5 SASL doesn't help here because the userPassword needs to be in cleartext in the database.
Yet again, any help will be appreciated. Zohar
On 10/23/07, Dieter Kluenter dieter@dkluenter.de wrote:
"Zohar Lev Shani" levshani5252@gmail.com writes:
OK, got that.
Now I am trying a different SASL configuration, and I have these mechanisms available:
ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base
-LLL
dn: supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
With the same data, I tried running ldapsearch with SASL and got that there are no SASL mechanisms available.
ldapsearch -h localhost:9999 -Y PLAIN -U user1 -w pass1 -LLL -b
cn=user1,cn=users,dc=my-domain,dc=com
ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy
mechs found
Same goes for '-Y LOGIN'.
What am I missing here?
OpenLDAP only supports PLAIN and LOGIN if data transport is secured that is either by TLS or local pipe. Install sasl libdigestmd5 and libcrammd5 to provide shared secret security.
-Dieter
-- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6