On 05/10/10 15:04 -0500, Erik Lotspeich wrote:
Hi Dan,
Thanks so much for your help. I'm getting closer.
The ldapwhoami seems to work now.
erik@starfish:~/ldif$ ldapwhoami -U erik -H ldaps://localhost/ SASL/PLAIN authentication started Please enter your password: SASL username: erik SASL SSF: 0 dn:uid=erik,cn=plain,cn=auth erik@starfish:~/ldif$
I have two questions/concerns:
- If I leave the "-Y plain" option off of the argument list to
ldapsearch, I get "Invalid credentials":
That might indicate that your client utilities are attempting to use a mechanism that is not able to complete your authentication, such as DIGEST-MD5, or perhaps EXTERNAL.
A work around is to create a '.ldaprc' file in your home directory with the contents:
SASL_MECH PLAIN
which all OpenLDAP client utilities (and client library) should honor. See the man page for ldap.conf(5) for details.
erik@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b 'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W Enter LDAP Password: ldap_bind: Invalid credentials (49) erik@starfish:~/ldif$
I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried adding one for ldapsearch:
Is that /usr/lib/sasl2/slapd.conf or /usr/local/sasl2/slapd.conf (should be the former)?
The file name is determined by the sasl library (or how OpenLDAP calls it), and should always be 'slapd.conf' for OpenLDAP. The default location for the file should be /usr/lib/sasl2, but may also be looked in /etc/sasl2, depending on the version of cyrus your using, and what '--with-configdir' option was passed to it at compile time.
root@starfish:/usr/lib/sasl2# cat ldapsearch.conf pwcheck_method: saslauthd mech_list: plain
This didn't seem to make a difference in allowing me to authenticate without the "-Y" option.
- I would like to use authenticated LDAP in Thunderbird. I set
uid=erik,cn=plain,cn=auth as my Bind DN. It asked for my password, but always returned 'authentication failed'.
the 'uid=erik,cn=plain,cn=auth' is your derived authenticated identity based on SASL authentication. Thunderbird will need to perform a SASL bind using a username of 'erik' and your password. You cannot perform simple authentication using that DN unless that DN actually exists in your tree.
See chapter 15 of the OpenLDAP Software 2.4 Administrator's Guide for a discussion of mapping authentication identities to DNs.