Erik,
Erik Lotspeich schrieb am 05.10.2010 22:04 Uhr:
I have two questions/concerns:
- If I leave the "-Y plain" option off of the argument list to
ldapsearch, I get "Invalid credentials":
As far as I know from other SASL using software (like Postfix), the client always chooses the "securest" available mechanism offered by the server. So if you do not minimize the mechanism offered, the client tries a mechanism that might not be intended to be used. [openldap may do it in another way, anyway - but I don't think so.]
I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried adding one for ldapsearch:
root@starfish:/usr/lib/sasl2# cat ldapsearch.conf pwcheck_method: saslauthd mech_list: plain
I don't think this file will be used. The file must be names like the application name the software communicates to SASL, which is slapd for the openldap server.
Did you set mech_list: plain in slapd.conf in /usr/local/sasl2 to tell slapd to just offer PLAIN?
Marc