Hi,
BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong.
/etc/openldap/ldap.conf is empty.
~/.ldaprc is:
$ cat ~/.ldaprc BINDDN <myBindDN> BASE <myBaseDN> URI ldaps://<myLDAPServer> TLS_REQCERT never $
ldapsearch returns an error if I don't declare the bindDN on the commandline:
$ ldapsearch -W -v cn=xyz ldap_initialize( <DEFAULT> ) Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) $
Using strace I can see, that ~/.ldaprc is accessed by ldapsearch. So either BINDDN is ignored or I am doing something wrong.
but works happily with the bindDN on the commandline:
$ ldapsearch -D <myBindDN> -W -v cn=xyz ldap_initialize( <DEFAULT> ) Enter LDAP Password: [... ldapsearch results ...] $
Using strace I can see, that ~/.ldaprc is accessed by ldapsearch. So either BINDDN is ignored or I am doing something wrong.
This is with openSUSE 13.1 and ldapsearch 2.4.33.
Cheers Frank
On 02/09/16 10:28 +0100, Frank Thommen wrote:
BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong.
/etc/openldap/ldap.conf is empty.
~/.ldaprc is:
$ cat ~/.ldaprc BINDDN <myBindDN> BASE <myBaseDN> URI ldaps://<myLDAPServer> TLS_REQCERT never $
ldapsearch returns an error if I don't declare the bindDN on the commandline:
$ ldapsearch -W -v cn=xyz ldap_initialize( <DEFAULT> ) Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) $
For SASL binds, specify SASL_AUTHCID instead; however this option will be ignored by the sasl library for GSSAPI binds, in which case SASL_AUTHZID may be used if you need to specify an authz identity.
For non-sasl binds, specify '-x' on your command line, which does make use of BINDDN.
On 02/09/2016 03:41 PM, Dan White wrote:
On 02/09/16 10:28 +0100, Frank Thommen wrote:
BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong.
/etc/openldap/ldap.conf is empty.
~/.ldaprc is:
$ cat ~/.ldaprc BINDDN <myBindDN> BASE <myBaseDN> URI ldaps://<myLDAPServer> TLS_REQCERT never $
ldapsearch returns an error if I don't declare the bindDN on the commandline:
$ ldapsearch -W -v cn=xyz ldap_initialize( <DEFAULT> ) Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) $
For SASL binds, specify SASL_AUTHCID instead; however this option will be ignored by the sasl library for GSSAPI binds, in which case SASL_AUTHZID may be used if you need to specify an authz identity.
Thanks. But even after reading through a dozen different webpages and documentations I still don't understand how a SASL_AUTHCID or SASL_AUTHZID looks like and from where I get the appropriate information.
For non-sasl binds, specify '-x' on your command line, which does make use of BINDDN.
yes, that works fine. Maybe it should be made clearer in the manpage, that BINDDN does not apply (?) when not using simple authentication?
frank
--On Tuesday, February 09, 2016 6:02 PM +0100 Frank Thommen f.thommen@dkfz-heidelberg.de wrote:
For non-sasl binds, specify '-x' on your command line, which does make use of BINDDN.
yes, that works fine. Maybe it should be made clearer in the manpage, that BINDDN does not apply (?) when not using simple authentication?
Feel free to submit an ITS with the appropriate changes. Likely the BINDDN section should say something more than just "when performing ldap operations" as it doesn't note the limitation to simple binds.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
openldap-technical@openldap.org