On Thu, 2009-04-02 at 09:59 +0200, Buchan Milne wrote:
On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
> On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
> > Da Rock wrote:
> > > so I'm trying to
> > > work out how to setup the system to do a simple bind
> > ldapsearch -x -D <bind-DN>
> I know that, thanks, but this is affecting other apps from obtaining
> data from the system. I can also just go ldapsearch -x for anonymous. It
> appears I'm all in or bust! Unless I can set it up so apps can do simple
If you can do a simple bind (anonymous, or authenticated), there (in most
cases) is nothing preventing other applications from doing simple binds.
Having SASL support compiled in to the server does not prevent other
applications for doing simple binds.
Maybe you should provide more information about the applications in question,
and how they are configured.
(Note: In the past Apple's LDAP client software for Mac OS seems to use
whichever SASL mechanisms are advertised by the LDAP server, but this again
isn't about SASL support being compiled in or not).
Thats what I would have figured, yet I get no joy, nothing I can see out
of the ordinary in the logs, and all the apps are auth types (courier,
pam, postfix)- plus records for bind.
Bind doesn't bind to the ldap, and I'm trying to setup the others to do
the same. Obviously, courier has to bind to confirm auth- but only as
the user (not bind as courier, then again as the user).
Bind works: tested that myself. The others fail miserably.
I'm not entirely sure what else I need to add exactly, the platform is
freebsd with openldap built with sasl from ports.
Before anyone suggests it, I already have a mail server running
(postfix, courier); I want ldap as lookup source to ease administration.
The pam is completely new to me, I'm following a lot of howtos on the
web to compile a picture of how it all works.
Now as to pam, I thought it must be my ineptitude in configuration, so I
put it on hold and moved to something easier. Unfortunately I hit a
similar snag there with the imap auth, hence I looked at the ldapsearch
angle. Seems I could be wrong there based on comments received....