Hi folks,
first of all thanks to all comments about my previous posts!
Finaly I'm faced with hopefully the last authentication problem and may be somewone could tell me an answere or point me once more into the right direction.
My consumer server should bind to the provider using sasl with the saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
I'v changed the slapd.conf files on both servers:
consumer:
syncrepl ... bindmethod=sasl saslmech=EXTERNAL starttls=yes
provider:
authz-regexp "dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" "cn=replicator,dc=filmakademie,dc=de"
after restarting both servers I do get the error:
<==slap_sasl2dn: Converted SASL name to <nothing> SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
I've searched my docs, online howtoos and found postings about "know sasl before using openldap" but the sasl docs didn't help too.
Thanks for any help and best regards,
Götz
Götz Reinicke - IT-Koordinator goetz.reinicke@filmakademie.de writes:
Hi folks,
[...]
My consumer server should bind to the provider using sasl with the saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
I'v changed the slapd.conf files on both servers:
consumer:
syncrepl ... bindmethod=sasl saslmech=EXTERNAL starttls=yes
provider:
authz-regexp "dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" "cn=replicator,dc=filmakademie,dc=de"
after restarting both servers I do get the error:
<==slap_sasl2dn: Converted SASL name to <nothing> SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
[...]
I don't see a configuration for client certs, as an example I provide my slapd.conf
syncrepl rid=042 provider=ldap://rubin.avci.de sizelimit=unlimited bindmethod=sasl saslmech=external starttls=yes tls_cert=/etc/openldap/certs/replicator.pem tls_key=/etc/openldap/certs/replicator-key.pem tls_cacert=/etc/openldap/certs/avciCA.pem tls_reqcert=demand searchbase="o=avci,c=de" scope=sub [...]
-Dieter
Dieter Kluenter schrieb:
Götz Reinicke - IT-Koordinator goetz.reinicke@filmakademie.de writes:
Hi folks,
[...]
My consumer server should bind to the provider using sasl with the saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
I'v changed the slapd.conf files on both servers:
consumer:
syncrepl ... bindmethod=sasl saslmech=EXTERNAL starttls=yes
provider:
authz-regexp "dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" "cn=replicator,dc=filmakademie,dc=de"
after restarting both servers I do get the error:
<==slap_sasl2dn: Converted SASL name to <nothing> SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
[...]
I don't see a configuration for client certs, as an example I provide my slapd.conf
syncrepl rid=042 provider=ldap://rubin.avci.de sizelimit=unlimited bindmethod=sasl saslmech=external starttls=yes tls_cert=/etc/openldap/certs/replicator.pem tls_key=/etc/openldap/certs/replicator-key.pem tls_cacert=/etc/openldap/certs/avciCA.pem tls_reqcert=demand searchbase="o=avci,c=de" scope=sub [...]
Hi Dieter,
it looks like I still have some misunderstanding of where to set some options after following my manual.... Maybe your book is better ;-)
I added the tls_* options to my consumer slapd.conf and started both servers again. Now I still get messages on the provider which confuse me, in particular the line "Converted SASL name to <nothing>"
do_sasl_bind: dn (cn=replicator,dc=filmakademie,dc=de) mech EXTERNAL
==>slap_sasl2dn: converting SASL name email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de to a DN
slap_authz_regexp: converting SASL name email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Authorize [conn=0]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/EXTERNAL bind: dn="email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" sasl_ssf=0
Any suggestions? Thanks for your response,
/Götz
Am 14.04.2010 09:36, schrieb Götz Reinicke - IT-Koordinator:
Dieter Kluenter schrieb:
Götz Reinicke - IT-Koordinatorgoetz.reinicke@filmakademie.de writes:
Hi folks,
[...]
My consumer server should bind to the provider using sasl with the saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
I'v changed the slapd.conf files on both servers:
consumer:
syncrepl ... bindmethod=sasl saslmech=EXTERNAL starttls=yes
provider:
authz-regexp "dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" "cn=replicator,dc=filmakademie,dc=de"
from first sight, looks like wrong authz-regexp: dn=email= ....
after restarting both servers I do get the error:
<==slap_sasl2dn: Converted SASL name to<nothing> SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
[...]
I don't see a configuration for client certs, as an example I provide my slapd.conf
syncrepl rid=042 provider=ldap://rubin.avci.de sizelimit=unlimited bindmethod=sasl saslmech=external starttls=yes tls_cert=/etc/openldap/certs/replicator.pem tls_key=/etc/openldap/certs/replicator-key.pem tls_cacert=/etc/openldap/certs/avciCA.pem tls_reqcert=demand searchbase="o=avci,c=de" scope=sub [...]
Hi Dieter,
it looks like I still have some misunderstanding of where to set some options after following my manual.... Maybe your book is better ;-)
I added the tls_* options to my consumer slapd.conf and started both servers again. Now I still get messages on the provider which confuse me, in particular the line "Converted SASL name to<nothing>"
do_sasl_bind: dn (cn=replicator,dc=filmakademie,dc=de) mech EXTERNAL
==>slap_sasl2dn: converting SASL name email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de to a DN
slap_authz_regexp: converting SASL name email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de
<==slap_sasl2dn: Converted SASL name to<nothing>
SASL Authorize [conn=0]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/EXTERNAL bind: dn="email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" sasl_ssf=0
Any suggestions? Thanks for your response,
/Götz
Oliver Liebel schrieb:
Am 14.04.2010 09:36, schrieb Götz Reinicke - IT-Koordinator:
Dieter Kluenter schrieb:
Götz Reinicke - IT-Koordinatorgoetz.reinicke@filmakademie.de writes:
Hi folks,
[...]
My consumer server should bind to the provider using sasl with the saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
I'v changed the slapd.conf files on both servers:
consumer:
syncrepl ... bindmethod=sasl saslmech=EXTERNAL starttls=yes
provider:
authz-regexp "dn=email=webmaster@filmakademie.de,cn=ldap2.filmakademie.de,ou=it officenet,o=filmakademie baden-wuerttemberg gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" "cn=replicator,dc=filmakademie,dc=de"
from first sight, looks like wrong authz-regexp: dn=email= ....
Thats right AND I had a linebrake between both values. After changing both everything works like I thougt it should.
Regards,
Götz
openldap-technical@openldap.org
-
Dieter Kluenter -
Götz Reinicke - IT-Koordinator -
Oliver Liebel