Hi Dan,
Thanks so much for your help. I'm getting closer.
The ldapwhoami seems to work now.
erik@starfish:~/ldif$ ldapwhoami -U erik -H ldaps://localhost/ SASL/PLAIN authentication started Please enter your password: SASL username: erik SASL SSF: 0 dn:uid=erik,cn=plain,cn=auth erik@starfish:~/ldif$
I can also run an ldapsearch to list the contents of my database:
erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b 'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W -Y plain Enter LDAP Password: SASL/PLAIN authentication started SASL username: erik SASL SSF: 0 # extended LDIF # # LDAPv3 # base <ou=people, dc=lotspeich,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# people, lotspeich.org dn: ou=people,dc=lotspeich,dc=org objectClass: top objectClass: organizationalUnit ou: people . . *** DATA OMITTED! *** . # search result search: 2 result: 0 Success
# numResponses: 136 # numEntries: 135
I have two questions/concerns:
1. If I leave the "-Y plain" option off of the argument list to ldapsearch, I get "Invalid credentials":
erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b 'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W Enter LDAP Password: ldap_bind: Invalid credentials (49) erik@starfish:~/ldif$
I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried adding one for ldapsearch:
root@starfish:/usr/lib/sasl2# cat ldapsearch.conf pwcheck_method: saslauthd mech_list: plain
This didn't seem to make a difference in allowing me to authenticate without the "-Y" option.
2. I would like to use authenticated LDAP in Thunderbird. I set uid=erik,cn=plain,cn=auth as my Bind DN. It asked for my password, but always returned 'authentication failed'.
I don't know if #1 or #2 are related. I know I must be missing something. From what I understand (which isn't much), I'm not using simple bind, so I don't need the mappings in my configuration file that you mentioned previously.
Regards,
Erik
Dan White wrote:
On 29/09/10 10:19 -0500, Erik Lotspeich wrote:
Hi Dan,
I hope that I don't mind if I ask a follow-up question:
root@starfish:/usr/local/etc/openldap# testsaslauthd -u erik -p XXX -s slapd 0: OK "Success."
That works, but when I run ldapwhami, it doesn't:
root@starfish:/usr/local/etc/openldap# ldapwhoami -Y login -U erik -H ldap://localhost ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
I did a search on the internet, and I ran this command:
root@starfish:/usr/local/etc/openldap# ldapsearch -x -ZZ -s base -b "" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top objectClass: OpenLDAProotDSE
# search result search: 3 result: 0 Success
In other examples I've seen, mechanisms such as PLAIN or LOGIN or listed here.
Make sure you have the appropriate sasl shared libraries installed on both your server and your client (which appears to be the same according to your examples from above). Use plugingview/saslpluginviewer to see which server/client mechanisms you do have installed.
For instance, on a Debian system you'd need to have the libsasl2-modules package.
If you do have those mechanisms installed but are still not seeing them in the '-s base -b ""' search, make sure you've added 'sasl-secprops none' to your openldap slapd.conf.