Hi, I need a help from you guys. Anyone know how to customize Squid, Dansguardian, Postfix, Samba to use OpenLDAP and let OpenLDAP authenticate the username/password with MS-AD?
Thanks Oshim
On 18/07/10 21:08 +0600, OSHIM wrote:
Hi, I need a help from you guys. Anyone know how to customize Squid, Dansguardian, Postfix, Samba to use OpenLDAP and let OpenLDAP authenticate the username/password with MS-AD?
When performing SASL binds against OpenLDAP, you can configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
and configure /etc/saslauthd.conf with:
ldap_servers: ldap://192.0.2.1/ ldap_use_sasl: yes ldap_mech: DIGEST-MD5
and consequently you would configure your /etc/postfix/sasl/smtpd.conf with:
pwcheck_method: saslauthd mech_list: plain login
Configuring identical contents for /etc/saslauthd.conf on your Postfix server would authenticate directly to the MS-AD server. If you really do wish to authenticate to the OpenLDAP server and have it re-authenticate to AD, configure your /etc/saslauthd.conf with:
ldap_servers: ldap://192.0.2.2/ ldap_use_sasl: yes ldap_mech: PLAIN
Where 192.0.2.2 is the address of your slapd server. You would also want to configure an SSL/TLS protection layer to protect the transmission of your passwords to the slapd server.
See Chapter 15 (Using SASL) of the OpenLDAP administrator's guide for authz-regexp configuration that should be necessary to complete this approach. Also, see saslauthd/LDAP_SASLAUTHD within the cyrus sasl source tree for saslauthd.conf documentation. For trouble shooting, see 'testsaslauthd', 'smtptest', and 'saslfinger'. The first two are distributed with cyrus sasl, and the last is distributed by Patrick Koetter.
I'm not familiar with configuring Squid, Dansguardian, and Samba in a scenario like this, but I would imagine doing what you want (proxying authentication via slapd) is going to get exponentially complex. It may make more sense to have those applications authenticate directly to the AD server.
What we want to achieve is user using services like OpenVPN, webproxy, emails, file sharing, etc will only need to remember their MS AD password and they will be able to login to the corresponding services they are entitle to used. In order to do so, we will need to configure OpenLDAP on Linux to authenticate with MS AD server. OpenLDAP will contain the user information but authentication will come from MS AD.
Sent from my iPad
On Jul 18, 2010, at 11:31 PM, Dan White dwhite@olp.net wrote:
On 18/07/10 21:08 +0600, OSHIM wrote:
Hi, I need a help from you guys. Anyone know how to customize Squid, Dansguardian, Postfix, Samba to use OpenLDAP and let OpenLDAP authenticate the username/password with MS-AD?
When performing SASL binds against OpenLDAP, you can configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
and configure /etc/saslauthd.conf with:
ldap_servers: ldap://192.0.2.1/ ldap_use_sasl: yes ldap_mech: DIGEST-MD5 and consequently you would configure your /etc/postfix/sasl/smtpd.conf with:
pwcheck_method: saslauthd mech_list: plain login
Configuring identical contents for /etc/saslauthd.conf on your Postfix server would authenticate directly to the MS-AD server. If you really do wish to authenticate to the OpenLDAP server and have it re-authenticate to AD, configure your /etc/saslauthd.conf with:
ldap_servers: ldap://192.0.2.2/ ldap_use_sasl: yes ldap_mech: PLAIN
Where 192.0.2.2 is the address of your slapd server. You would also want to configure an SSL/TLS protection layer to protect the transmission of your passwords to the slapd server.
See Chapter 15 (Using SASL) of the OpenLDAP administrator's guide for authz-regexp configuration that should be necessary to complete this approach. Also, see saslauthd/LDAP_SASLAUTHD within the cyrus sasl source tree for saslauthd.conf documentation. For trouble shooting, see 'testsaslauthd', 'smtptest', and 'saslfinger'. The first two are distributed with cyrus sasl, and the last is distributed by Patrick Koetter.
I'm not familiar with configuring Squid, Dansguardian, and Samba in a scenario like this, but I would imagine doing what you want (proxying authentication via slapd) is going to get exponentially complex. It may make more sense to have those applications authenticate directly to the AD server.
-- Dan White
On 18/07/10 23:52 +0600, OSHIM wrote:
What we want to achieve is user using services like OpenVPN, webproxy, emails, file sharing, etc will only need to remember their MS AD password and they will be able to login to the corresponding services they are entitle to used. In order to do so, we will need to configure OpenLDAP on Linux to authenticate with MS AD server. OpenLDAP will contain the user information but authentication will come from MS AD.
You've presented a list of software that just aren't going to work the same way. There's no consistent approach to how software uses LDAP to authenticate users.
You're going to need to do some research and find out how each package performs authentication:
1. Does the software directly bind to the LDAP server using the provided user credentials, and use the result as a yes/no determination of whether the user is authenticated.
2. If so, does it bind using SASL?
3. If not, does it bind to the server using a privileged account to retrieve the user's DN. Does it then perform a second bind to the LDAP server?
4. If not, does it simply use LDAP as a password database, retrieving the user's credentials via a privileged account and then acting on the retrieved password?
5. Something else? If it can't use LDAP, can it use PAM?
anyone can help me out
test:~# testsaslauthd -u swioshim -p Test2010 0: NO "authentication failed"
why authentication failed?
On Jul 19, 2010, at 12:57 AM, Dan White wrote:
On 18/07/10 23:52 +0600, OSHIM wrote:
What we want to achieve is user using services like OpenVPN, webproxy, emails, file sharing, etc will only need to remember their MS AD password and they will be able to login to the corresponding services they are entitle to used. In order to do so, we will need to configure OpenLDAP on Linux to authenticate with MS AD server. OpenLDAP will contain the user information but authentication will come from MS AD.
You've presented a list of software that just aren't going to work the same way. There's no consistent approach to how software uses LDAP to authenticate users.
You're going to need to do some research and find out how each package performs authentication:
- Does the software directly bind to the LDAP server using the provided
user credentials, and use the result as a yes/no determination of whether the user is authenticated.
If so, does it bind using SASL?
If not, does it bind to the server using a privileged account to
retrieve the user's DN. Does it then perform a second bind to the LDAP server?
- If not, does it simply use LDAP as a password database, retrieving the
user's credentials via a privileged account and then acting on the retrieved password?
- Something else? If it can't use LDAP, can it use PAM?
-- Dan White
Le 19/07/2010 12:45, OSHIM a écrit :
anyone can help me out
test:~# testsaslauthd -u swioshim -p Test2010 0: NO "authentication failed"
why authentication failed?
saslauthd usually logs to the syslog facility "auth". Check your /var/log/auth.log (or similar, depending on your OS).
Jonathan
i have configured saslauthd with openldap to authenticate MS AD when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success." (swioshim is my MS AD user and Test2010 password coming from MS AD)
but when i run ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com
then getting error : ldap_bind: Invalid credentials (49)
please help
On Jul 19, 2010, at 4:50 PM, Jonathan Clarke wrote:
Le 19/07/2010 12:45, OSHIM a écrit :
anyone can help me out
test:~# testsaslauthd -u swioshim -p Test2010 0: NO "authentication failed"
why authentication failed?
saslauthd usually logs to the syslog facility "auth". Check your /var/log/auth.log (or similar, depending on your OS).
Jonathan
--
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
On 19/07/10 21:18 +0600, OSHIM wrote:
i have configured saslauthd with openldap to authenticate MS AD when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success." (swioshim is my MS AD user and Test2010 password coming from MS AD)
but when i run ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com
then getting error : ldap_bind: Invalid credentials (49)
please help
saslauthd will not be called for simple (non-sasl) binds. You will need to tell ldapsearch to bind with SASL, such as:
ldapsearch -U swioshim -W -b dc=myproject,dc=com
You'll need to configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
And if you want to map the derived authentication identity to a DN in your slapd tree, then you'll need to configure appropriate authz-regexp statements. See chapter 15 (Using SASL) of the OpenLDAP administrator's guide.
I have added into /etc/ldap/slapd.conf sasl-host localhost sasl-secprops none
and also have created usr/lib/sasl2/slapd.conf and have added following two lines pwcheck_method: saslauthd saslauthd_path: / var / run / saslauthd / mux
On Jul 19, 2010, at 9:57 PM, Dan White wrote:
On 19/07/10 21:18 +0600, OSHIM wrote:
i have configured saslauthd with openldap to authenticate MS AD when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success." (swioshim is my MS AD user and Test2010 password coming from MS AD)
but when i run ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com
then getting error : ldap_bind: Invalid credentials (49)
please help
saslauthd will not be called for simple (non-sasl) binds. You will need to tell ldapsearch to bind with SASL, such as:
ldapsearch -U swioshim -W -b dc=myproject,dc=com
You'll need to configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
And if you want to map the derived authentication identity to a DN in your slapd tree, then you'll need to configure appropriate authz-regexp statements. See chapter 15 (Using SASL) of the OpenLDAP administrator's guide.
-- Dan White
Le 19/07/2010 18:07, OSHIM a écrit :
I have added into /etc/ldap/slapd.conf sasl-host localhost sasl-secprops none
and also have created usr/lib/sasl2/slapd.conf and have added following two lines pwcheck_method: saslauthd saslauthd_path: / var / run / saslauthd / mux
With this configuration, saslauthd should be called for simple (non-sasl) binds.
Have you set the userPassword attribute in your OpenLDAP entry to "{SASL}swioshim@something" ? And compiled OpenLDAP using the --enable-spasswd switch ?
Jonathan
On Jul 19, 2010, at 9:57 PM, Dan White wrote:
On 19/07/10 21:18 +0600, OSHIM wrote:
i have configured saslauthd with openldap to authenticate MS AD when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success." (swioshim is my MS AD user and Test2010 password coming from MS AD)
but when i run ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com
then getting error : ldap_bind: Invalid credentials (49)
please help
saslauthd will not be called for simple (non-sasl) binds. You will need to tell ldapsearch to bind with SASL, such as:
ldapsearch -U swioshim -W -b dc=myproject,dc=com
You'll need to configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
And if you want to map the derived authentication identity to a DN in your slapd tree, then you'll need to configure appropriate authz-regexp statements. See chapter 15 (Using SASL) of the OpenLDAP administrator's guide.
-- Dan White
On 19/07/10 18:37 +0200, Jonathan Clarke wrote:
Le 19/07/2010 18:07, OSHIM a écrit :
I have added into /etc/ldap/slapd.conf sasl-host localhost sasl-secprops none
and also have created usr/lib/sasl2/slapd.conf and have added following two lines pwcheck_method: saslauthd saslauthd_path: / var / run / saslauthd / mux
With this configuration, saslauthd should be called for simple (non-sasl) binds.
Have you set the userPassword attribute in your OpenLDAP entry to "{SASL}swioshim@something" ? And compiled OpenLDAP using the --enable-spasswd switch ?
Thank Jonathan.
I was not aware of that authentication method. That opens up a lot more opportunities for passthough authentication to AD.
I have added a new user with the pass {SASL}oshim@myproject.net then i checked it Apache Directory Studio it shows SASL hashed password. When I checked show details then it shows me {SASL}oshim@myproject.net.
but if i run ldapsearch -x -D "cn=oshim,dc=myproject,dc=net" -W -b dc=myproject,dc=net Enter LDAP Password: ldap_bind: Invalid credentials (49)
it shows same error.
On Jul 19, 2010, at 10:37 PM, Jonathan Clarke wrote:
Le 19/07/2010 18:07, OSHIM a écrit :
I have added into /etc/ldap/slapd.conf sasl-host localhost sasl-secprops none
and also have created usr/lib/sasl2/slapd.conf and have added following two lines pwcheck_method: saslauthd saslauthd_path: / var / run / saslauthd / mux
With this configuration, saslauthd should be called for simple (non-sasl) binds.
Have you set the userPassword attribute in your OpenLDAP entry to "{SASL}swioshim@something" ? And compiled OpenLDAP using the --enable-spasswd switch ?
Jonathan
On Jul 19, 2010, at 9:57 PM, Dan White wrote:
On 19/07/10 21:18 +0600, OSHIM wrote:
i have configured saslauthd with openldap to authenticate MS AD when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success." (swioshim is my MS AD user and Test2010 password coming from MS AD)
but when i run ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com
then getting error : ldap_bind: Invalid credentials (49)
please help
saslauthd will not be called for simple (non-sasl) binds. You will need to tell ldapsearch to bind with SASL, such as:
ldapsearch -U swioshim -W -b dc=myproject,dc=com
You'll need to configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
And if you want to map the derived authentication identity to a DN in your slapd tree, then you'll need to configure appropriate authz-regexp statements. See chapter 15 (Using SASL) of the OpenLDAP administrator's guide.
-- Dan White
--
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
test:~/lsc/etc# ldapsearch -U oshim -W -b dc=myproject,dc=net Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49)
On Jul 19, 2010, at 9:57 PM, Dan White wrote:
On 19/07/10 21:18 +0600, OSHIM wrote:
i have configured saslauthd with openldap to authenticate MS AD when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success." (swioshim is my MS AD user and Test2010 password coming from MS AD)
but when i run ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com
then getting error : ldap_bind: Invalid credentials (49)
please help
saslauthd will not be called for simple (non-sasl) binds. You will need to tell ldapsearch to bind with SASL, such as:
ldapsearch -U swioshim -W -b dc=myproject,dc=com
You'll need to configure /usr/lib/sasl2/slapd.conf with:
pwcheck_method: saslauthd mech_list: plain login
And if you want to map the derived authentication identity to a DN in your slapd tree, then you'll need to configure appropriate authz-regexp statements. See chapter 15 (Using SASL) of the OpenLDAP administrator's guide.
-- Dan White
On 19/07/10 23:59 +0600, OSHIM wrote:
test:~/lsc/etc# ldapsearch -U oshim -W -b dc=myproject,dc=net Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49)
You either need:
mech_list: PLAIN LOGIN
in your /usr/lib/sasl/slapd.conf
or you need to explicitly specify a plaintext mechanism:
ldapsearch -Y PLAIN -U oshim -W -b dc=myproject,dc=net
saslauthd cannot support DIGEST-MD5 authentication.
after the line executed
ldapsearch -Y PLAIN -U oshim -W -b dc=myproject,dc=net Enter LDAP Password: ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
On Jul 20, 2010, at 12:58 AM, Dan White wrote:
On 19/07/10 23:59 +0600, OSHIM wrote:
test:~/lsc/etc# ldapsearch -U oshim -W -b dc=myproject,dc=net Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49)
You either need:
mech_list: PLAIN LOGIN
in your /usr/lib/sasl/slapd.conf
or you need to explicitly specify a plaintext mechanism:
ldapsearch -Y PLAIN -U oshim -W -b dc=myproject,dc=net
saslauthd cannot support DIGEST-MD5 authentication.
-- Dan White
anyone can clear to me about this line
To work, passwords for accounts will form OpenLDAP sasl) (account @ realm. These two parameters, account, and the kingdom shall be forwarded to saslauthd uses them in its LDAP filter to find the account in question.
On Jul 20, 2010, at 12:58 AM, Dan White wrote:
On 19/07/10 23:59 +0600, OSHIM wrote:
test:~/lsc/etc# ldapsearch -U oshim -W -b dc=myproject,dc=net Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49)
You either need:
mech_list: PLAIN LOGIN
in your /usr/lib/sasl/slapd.conf
or you need to explicitly specify a plaintext mechanism:
ldapsearch -Y PLAIN -U oshim -W -b dc=myproject,dc=net
saslauthd cannot support DIGEST-MD5 authentication.
-- Dan White
On 20/07/10 11:00 +0600, OSHIM wrote:
anyone can clear to me about this line
To work, passwords for accounts will form OpenLDAP sasl) (account @ realm. These two parameters, account, and the kingdom shall be forwarded to saslauthd uses them in its LDAP filter to find the account in question.
That probably refers to a fully qualified username, such as 'jsmith@example.net'. I'm not sure that a SASL realm parameter can be passed using this method (sasl_checkpass).
Although saslauthd will support a fully qualified username if its backend does, AD does not seem to support it (or a SASL realm parameter even).
ldapsearch -Y PLAIN -U swimonowar -W -b dc=myproject,dc=net -v -d 1 ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_interactive_bind_s: user selected: PLAIN ldap_int_sasl_bind: PLAIN ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=myproject.net ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
getting this error
On Jul 20, 2010, at 12:58 AM, Dan White wrote:
On 19/07/10 23:59 +0600, OSHIM wrote:
test:~/lsc/etc# ldapsearch -U oshim -W -b dc=myproject,dc=net Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49)
You either need:
mech_list: PLAIN LOGIN
in your /usr/lib/sasl/slapd.conf
or you need to explicitly specify a plaintext mechanism:
ldapsearch -Y PLAIN -U oshim -W -b dc=myproject,dc=net
saslauthd cannot support DIGEST-MD5 authentication.
-- Dan White
On 20/07/10 12:44 +0600, OSHIM wrote:
ldapsearch -Y PLAIN -U swimonowar -W -b dc=myproject,dc=net -v -d 1 ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_interactive_bind_s: user selected: PLAIN ldap_int_sasl_bind: PLAIN ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=myproject.net ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
getting this error
Use:
ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
to see which mechanisms are offered by the server.
It appears that you will need to add the following line to your OpenLDAP config file (not your SASL config file), to have slapd offer the PLAIN mechanism:
sasl-secprops none
See the manpage for slapd.conf for additional details. Doing so is a security risk, and you should consider using SSL/TLS in a production environment.
ldapsearch -LLL -x -H ldap://localhost -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: LOGIN supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
also i have this line "sasl-secprops none" in to my /etc/ldap/slapd.conf
On Jul 20, 2010, at 7:31 PM, Dan White wrote:
On 20/07/10 12:44 +0600, OSHIM wrote:
ldapsearch -Y PLAIN -U swimonowar -W -b dc=myproject,dc=net -v -d 1 ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_interactive_bind_s: user selected: PLAIN ldap_int_sasl_bind: PLAIN ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=myproject.net ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
getting this error
Use:
ldapsearch -LLL -x -H ldap://ldap.example.org -s "base" -b "" supportedSASLMechanisms
to see which mechanisms are offered by the server.
It appears that you will need to add the following line to your OpenLDAP config file (not your SASL config file), to have slapd offer the PLAIN mechanism:
sasl-secprops none
See the manpage for slapd.conf for additional details. Doing so is a security risk, and you should consider using SSL/TLS in a production environment.
-- Dan White
On 20/07/10 19:45 +0600, OSHIM wrote:
ldapsearch -LLL -x -H ldap://localhost -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: LOGIN supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
also i have this line "sasl-secprops none" in to my /etc/ldap/slapd.conf
With the same error or a different one?
If you're getting the same error, make sure that you have the SASL PLAIN mechanism installed on your client system. Use pluginviewer/saslpluginvewer to get a list. If you don't, you may need to install additional binary packages provided by your OS vendor.
Using ldapwhomi is probably better at this point, and will help you work out your authz-regexp statements.
On Jul 20, 2010, at 7:31 PM, Dan White wrote:
On 20/07/10 12:44 +0600, OSHIM wrote:
ldapsearch -Y PLAIN -U swimonowar -W -b dc=myproject,dc=net -v -d 1 ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_interactive_bind_s: user selected: PLAIN ldap_int_sasl_bind: PLAIN ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=myproject.net ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
i am trying it on same server. so my client and server is same.
On Jul 20, 2010, at 8:35 PM, Dan White wrote:
On 20/07/10 19:45 +0600, OSHIM wrote:
ldapsearch -LLL -x -H ldap://localhost -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: LOGIN supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
also i have this line "sasl-secprops none" in to my /etc/ldap/slapd.conf
With the same error or a different one?
If you're getting the same error, make sure that you have the SASL PLAIN mechanism installed on your client system. Use pluginviewer/saslpluginvewer to get a list. If you don't, you may need to install additional binary packages provided by your OS vendor.
Using ldapwhomi is probably better at this point, and will help you work out your authz-regexp statements.
On Jul 20, 2010, at 7:31 PM, Dan White wrote:
On 20/07/10 12:44 +0600, OSHIM wrote:
ldapsearch -Y PLAIN -U swimonowar -W -b dc=myproject,dc=net -v -d 1 ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_interactive_bind_s: user selected: PLAIN ldap_int_sasl_bind: PLAIN ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=myproject.net ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
-- Dan White
On 20/07/10 21:19 +0600, OSHIM wrote:
i am trying it on same server. so my client and server is same.
To further troubleshoot:
Add something like 'auth.debug /var/log/auth.log' to your syslog configuration.
Add 'log_level: 7' to /usr/lib/sasl2/slapd.conf
Run saslauthd in debugging mode, with the '-d' option.
On Jul 20, 2010, at 8:35 PM, Dan White wrote:
On 20/07/10 19:45 +0600, OSHIM wrote:
ldapsearch -LLL -x -H ldap://localhost -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: LOGIN supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
also i have this line "sasl-secprops none" in to my /etc/ldap/slapd.conf
With the same error or a different one?
If you're getting the same error, make sure that you have the SASL PLAIN mechanism installed on your client system. Use pluginviewer/saslpluginvewer to get a list. If you don't, you may need to install additional binary packages provided by your OS vendor.
Using ldapwhomi is probably better at this point, and will help you work out your authz-regexp statements.
if i restart slapd then getting error into /var/log/auth.log
myproject slapd[4988]: auxpropfunc error invalid parameter supplied myproject slapd[4988]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
On Jul 20, 2010, at 9:54 PM, Dan White wrote:
On 20/07/10 21:19 +0600, OSHIM wrote:
i am trying it on same server. so my client and server is same.
To further troubleshoot:
Add something like 'auth.debug /var/log/auth.log' to your syslog configuration.
Add 'log_level: 7' to /usr/lib/sasl2/slapd.conf
Run saslauthd in debugging mode, with the '-d' option.
On Jul 20, 2010, at 8:35 PM, Dan White wrote:
On 20/07/10 19:45 +0600, OSHIM wrote:
ldapsearch -LLL -x -H ldap://localhost -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: LOGIN supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 also i have this line "sasl-secprops none" in to my /etc/ldap/slapd.conf
With the same error or a different one? If you're getting the same error, make sure that you have the SASL PLAIN mechanism installed on your client system. Use pluginviewer/saslpluginvewer to get a list. If you don't, you may need to install additional binary packages provided by your OS vendor. Using ldapwhomi is probably better at this point, and will help you work out your authz-regexp statements.
-- Dan White
On 20/07/10 22:01 +0600, OSHIM wrote:
if i restart slapd then getting error into /var/log/auth.log
myproject slapd[4988]: auxpropfunc error invalid parameter supplied myproject slapd[4988]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Add:
auxprop_plugin: slapd
to /usr/lib/sasl/slapd.conf
That message isn't really an error, but the above change will stop it.
myproject slapd[5431]: conn=1 op=0 BIND dn="cn=swimonowar,dc=myproject,dc=net" method=128 Jul 21 01:10:39 myproject slapd[5431]: SASL [conn=1] Failure: cannot connect to saslauthd server: No such file or directory Jul 21 01:10:39 myproject slapd[5431]: conn=1 op=0 RESULT tag=97 err=49 text= Jul 21 01:10:39 myproject slapd[5431]: conn=1 fd=13 closed (connection lost)
why it is happend : Jul 21 01:10:39 myproject slapd[5431]: SASL [conn=1] Failure: cannot connect to saslauthd server: No such file or directory
testsaslauthd working fine. but ldapsearch giving error
On Jul 20, 2010, at 10:46 PM, Dan White wrote:
On 20/07/10 22:01 +0600, OSHIM wrote:
if i restart slapd then getting error into /var/log/auth.log
myproject slapd[4988]: auxpropfunc error invalid parameter supplied myproject slapd[4988]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Add:
auxprop_plugin: slapd
to /usr/lib/sasl/slapd.conf
That message isn't really an error, but the above change will stop it.
Dan White
On 21/07/10 01:13 +0600, OSHIM wrote:
myproject slapd[5431]: conn=1 op=0 BIND dn="cn=swimonowar,dc=myproject,dc=net" method=128 Jul 21 01:10:39 myproject slapd[5431]: SASL [conn=1] Failure: cannot connect to saslauthd server: No such file or directory Jul 21 01:10:39 myproject slapd[5431]: conn=1 op=0 RESULT tag=97 err=49 text= Jul 21 01:10:39 myproject slapd[5431]: conn=1 fd=13 closed (connection lost)
why it is happend : Jul 21 01:10:39 myproject slapd[5431]: SASL [conn=1] Failure: cannot connect to saslauthd server: No such file or directory
testsaslauthd working fine. but ldapsearch giving error
That may mean that you've inserted the wrong value for saslauthd_path into /usr/lib/sasl2/slapd.conf, or perhaps the user that your slapd server runs under does not have permissions to access the location of the mux.
Check the value of your saslauthd_path option in /usr/lib/sasl2/slapd.conf (or try commenting it out).
Running testsaslauthd as the same user as slapd is a good test.
openldap-technical@openldap.org
-
Dan White -
Jonathan Clarke -
OSHIM