I know the security implications of this, but I just want to stage this procedure and take one problem at a time; trouble is the system wants me to bite more than I can chew at a given time!
I have setup an ldap server, ldap admin programs can connect to it, but when I run say ldapsearch it says it can't connect with the following error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2)
Sure, eventually I'd like to secure things more, but I simply need to test things at this point. It also gets in the way of other things which I'm just looking in to right now.
I kinda understand the error code, but I'm not entirely sure what the -2 is; I've been working on the premise that it can't connect because the security service isn't setup (sasl or krb principal), so I'm trying to work out how to setup the system to do a simple bind (through ldap.conf? either /etc/ or openldap/) but I can't for the life of me get it to cooperate.
Any help? What info is needed here to resolve this?
Cheers
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote:
so I'm trying to work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
2009/4/1 Da Rock rock_on_the_web@comcen.com.au:
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote:
so I'm trying to work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
Configuring SASL isn't that hard.
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=users,dc=domain,dc=tld
(change the line uid=$1... to match your setup)
Store passwords in PLAINTEXT and protect userPassword with proper ACLs (something you should do anyways)
HTH, Norberto
On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote:
so I'm trying to work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
If you can do a simple bind (anonymous, or authenticated), there (in most cases) is nothing preventing other applications from doing simple binds. Having SASL support compiled in to the server does not prevent other applications for doing simple binds.
Maybe you should provide more information about the applications in question, and how they are configured.
(Note: In the past Apple's LDAP client software for Mac OS seems to use whichever SASL mechanisms are advertised by the LDAP server, but this again isn't about SASL support being compiled in or not).
Regards, Buchan
On Thu, 2009-04-02 at 09:59 +0200, Buchan Milne wrote:
On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote:
so I'm trying to work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
If you can do a simple bind (anonymous, or authenticated), there (in most cases) is nothing preventing other applications from doing simple binds. Having SASL support compiled in to the server does not prevent other applications for doing simple binds.
Maybe you should provide more information about the applications in question, and how they are configured.
(Note: In the past Apple's LDAP client software for Mac OS seems to use whichever SASL mechanisms are advertised by the LDAP server, but this again isn't about SASL support being compiled in or not).
Thats what I would have figured, yet I get no joy, nothing I can see out of the ordinary in the logs, and all the apps are auth types (courier, pam, postfix)- plus records for bind.
Bind doesn't bind to the ldap, and I'm trying to setup the others to do the same. Obviously, courier has to bind to confirm auth- but only as the user (not bind as courier, then again as the user).
Bind works: tested that myself. The others fail miserably.
I'm not entirely sure what else I need to add exactly, the platform is freebsd with openldap built with sasl from ports.
Before anyone suggests it, I already have a mail server running (postfix, courier); I want ldap as lookup source to ease administration. The pam is completely new to me, I'm following a lot of howtos on the web to compile a picture of how it all works.
Now as to pam, I thought it must be my ineptitude in configuration, so I put it on hold and moved to something easier. Unfortunately I hit a similar snag there with the imap auth, hence I looked at the ldapsearch angle. Seems I could be wrong there based on comments received....
Da Rock wrote:
On Thu, 2009-04-02 at 09:59 +0200, Buchan Milne wrote:
On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote:
so I'm trying to work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
If you can do a simple bind (anonymous, or authenticated), there (in most cases) is nothing preventing other applications from doing simple binds. Having SASL support compiled in to the server does not prevent other applications for doing simple binds.
Maybe you should provide more information about the applications in question, and how they are configured.
(Note: In the past Apple's LDAP client software for Mac OS seems to use whichever SASL mechanisms are advertised by the LDAP server, but this again isn't about SASL support being compiled in or not).
Thats what I would have figured, yet I get no joy, nothing I can see out of the ordinary in the logs, and all the apps are auth types (courier, pam, postfix)- plus records for bind.
Bind doesn't bind to the ldap, and I'm trying to setup the others to do the same. Obviously, courier has to bind to confirm auth- but only as the user (not bind as courier, then again as the user).
Bind works: tested that myself. The others fail miserably.
I'm not entirely sure what else I need to add exactly, the platform is freebsd with openldap built with sasl from ports.
Before anyone suggests it, I already have a mail server running (postfix, courier); I want ldap as lookup source to ease administration. The pam is completely new to me, I'm following a lot of howtos on the web to compile a picture of how it all works.
Now as to pam, I thought it must be my ineptitude in configuration, so I put it on hold and moved to something easier. Unfortunately I hit a similar snag there with the imap auth, hence I looked at the ldapsearch angle. Seems I could be wrong there based on comments received....
Sorry, nothing in your postings gives enough information to help you.
Posting *relevant* excerpts of configuration and log files and some more information about the client applications is quite helpful.
Ciao, Michael.
On Thu, 2009-04-02 at 12:55 +0200, Michael Ströder wrote:
Da Rock wrote:
On Thu, 2009-04-02 at 09:59 +0200, Buchan Milne wrote:
On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote:
so I'm trying to work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
If you can do a simple bind (anonymous, or authenticated), there (in most cases) is nothing preventing other applications from doing simple binds. Having SASL support compiled in to the server does not prevent other applications for doing simple binds.
Maybe you should provide more information about the applications in question, and how they are configured.
(Note: In the past Apple's LDAP client software for Mac OS seems to use whichever SASL mechanisms are advertised by the LDAP server, but this again isn't about SASL support being compiled in or not).
Thats what I would have figured, yet I get no joy, nothing I can see out of the ordinary in the logs, and all the apps are auth types (courier, pam, postfix)- plus records for bind.
Bind doesn't bind to the ldap, and I'm trying to setup the others to do the same. Obviously, courier has to bind to confirm auth- but only as the user (not bind as courier, then again as the user).
Bind works: tested that myself. The others fail miserably.
I'm not entirely sure what else I need to add exactly, the platform is freebsd with openldap built with sasl from ports.
Before anyone suggests it, I already have a mail server running (postfix, courier); I want ldap as lookup source to ease administration. The pam is completely new to me, I'm following a lot of howtos on the web to compile a picture of how it all works.
Now as to pam, I thought it must be my ineptitude in configuration, so I put it on hold and moved to something easier. Unfortunately I hit a similar snag there with the imap auth, hence I looked at the ldapsearch angle. Seems I could be wrong there based on comments received....
Sorry, nothing in your postings gives enough information to help you.
Posting *relevant* excerpts of configuration and log files and some more information about the client applications is quite helpful.
Sorry I'm being a PITA, but I'm really not sure what I can/need post.
Postfix/courier simply connect and request information based on filters. Binding is only necessary (apparently) to authenticate a user (Courier). The filter looks for (usually) the mailbox name/alias and whether the account is active, the physical maildir, etc.
Logs don't appear to be showing much- nothing I can tell anyway.
The problem is mainly to do with auth. Perhaps the best idea is to point me to some reputable and reliable sources of information on how to do this? I'll try and struggle along on my own until I have some more firmer evidence.
Thanks for your help so far.
On Thursday 02 April 2009 13:54:20 Da Rock wrote:
On Thu, 2009-04-02 at 12:55 +0200, Michael Ströder wrote:
Da Rock wrote:
On Thu, 2009-04-02 at 09:59 +0200, Buchan Milne wrote:
On Wednesday 01 April 2009 10:44:56 Da Rock wrote:
On Wed, 2009-04-01 at 01:48 +0200, Michael Ströder wrote:
Da Rock wrote: > so I'm trying to > work out how to setup the system to do a simple bind
ldapsearch -x -D <bind-DN>
I know that, thanks, but this is affecting other apps from obtaining data from the system. I can also just go ldapsearch -x for anonymous. It appears I'm all in or bust! Unless I can set it up so apps can do simple bind...
If you can do a simple bind (anonymous, or authenticated), there (in most cases) is nothing preventing other applications from doing simple binds. Having SASL support compiled in to the server does not prevent other applications for doing simple binds.
Maybe you should provide more information about the applications in question, and how they are configured.
(Note: In the past Apple's LDAP client software for Mac OS seems to use whichever SASL mechanisms are advertised by the LDAP server, but this again isn't about SASL support being compiled in or not).
Thats what I would have figured, yet I get no joy, nothing I can see out of the ordinary in the logs, and all the apps are auth types (courier, pam, postfix)- plus records for bind.
Bind doesn't bind to the ldap, and I'm trying to setup the others to do the same. Obviously, courier has to bind to confirm auth- but only as the user (not bind as courier, then again as the user).
Bind works: tested that myself. The others fail miserably.
I'm not entirely sure what else I need to add exactly, the platform is freebsd with openldap built with sasl from ports.
Before anyone suggests it, I already have a mail server running (postfix, courier); I want ldap as lookup source to ease administration. The pam is completely new to me, I'm following a lot of howtos on the web to compile a picture of how it all works.
Now as to pam, I thought it must be my ineptitude in configuration, so I put it on hold and moved to something easier. Unfortunately I hit a similar snag there with the imap auth, hence I looked at the ldapsearch angle. Seems I could be wrong there based on comments received....
Sorry, nothing in your postings gives enough information to help you.
Posting *relevant* excerpts of configuration and log files and some more information about the client applications is quite helpful.
Sorry I'm being a PITA, but I'm really not sure what I can/need post.
Excerpt from named.conf, and an excerpt from whichever log file you have configured slapd to log to, which shows the BIND operation failing.
Postfix/courier simply connect and request information based on filters.
Where is your postfix configuration regarding ldap?
Where's your authldaprc?
Where is your test with ldapsearch doing exactly what authlib is configured to do?
Binding is only necessary (apparently) to authenticate a user (Courier). The filter looks for (usually) the mailbox name/alias and whether the account is active, the physical maildir, etc.
I think most people on this list understand how these tools would work. But, where is the log from authdaemon showing a failure?
Logs don't appear to be showing much- nothing I can tell anyway.
Why not? Have you set an appropriate loglevel in slapd.conf ? Have you configured your syslog system to log syslog messages from slapd (see 'man slapd', look at the -l option) to a log file? Does anything interesting appear there?
What have you got in your slapd.conf file?
The problem is mainly to do with auth. Perhaps the best idea is to point me to some reputable and reliable sources of information on how to do this?
The project documentation should be sufficient ... but it doesn't cover courier authdaemon, postfix, bind or any of the other software, and it's difficult to recommend specifics if you can't say what isn't working.
I'll try and struggle along on my own until I have some more firmer evidence.
Well, since it seems you provide any of the information that only you have access to, that people on this list need to help, that does seem to be your only option.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Da Rock -
Michael Ströder -
Norberto Bensa