Re: Sponsoring a canon_user plugin for LDAP lookup

From: Torsten Schlabach (no email)
Date: Mon Mar 12 2007 - 18:32:22 EDT

  • Next message: Torsten Schlabach: "Re: Sponsoring a canon_user plugin for LDAP lookup"

    Dan!
    These two changes at least make the basics work, i.e. the ldapdb backend
    works now without canon_user. Let's take the next step ...
    Regards,
    Torsten

    Dan White schrieb:
    > Right. The SASL/EXTERNAL was a copy and paste error, the
    > command was supposed to end with '...u:dwhite'. The -U
    > was unnecessary. This command does the same thing:
    >
    > ldapwhoami -Y EXTERNAL -X u:dwhite
    >
    > The contents of my /etc/ldap/ldap.conf file are:
    > =========
    > BASE dc=nodomain
    > URI ldapi:///
    > =========
    >
    > and I forgot to mention that I modified /etc/default/slapd
    > like so, so that slapd listens on ldapi:
    >
    > SLAPD_SERVICES="ldap:/// ldapi:///"
    >
    > - Dan
    >
    > Howard Chu wrote:
    >
    >> Torsten Schlabach wrote:
    >>
    >>> Hi Dan!
    >>>
    >>> Thank you for taking the time for that detailed writeup.
    >>>
    >>> I have taken a blank server with a fresh Debian Etch installation and
    >>> installed the very same packages you did. I did not yet apply the
    >>> patches as I wanted to make sure I get all that stuff right out of
    >>> the box before I did into canonicalization.
    >>>
    >>> Here is where I got stuck:
    >>>
    >>> cyrus at Debian-pre40-64-minimal:~$ ldapwhoami -Y EXTERNAL \
    >>> > -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
    >>> > -X u:dwhite SASL/EXTERNAL
    >>> SASL/EXTERNAL authentication started
    >>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    >>> additional info: SASL(-4): no mechanism available:
    >>
    >>
    >> The -U flag is not meaningful with SASL/EXTERNAL. The "SASL/EXTERNAL"
    >> at the end of your command is erroneous. (In Dan's email it was merely
    >> a mis-wrapped line of text output.)
    >>
    >> The EXTERNAL mechanism is only valid when you use an LDAP session that
    >> has an out-of-band mechanism for transmitting the client credentials
    >> to the server. That usually means a client certificate for TLS or
    >> IPSEC, or an ldapi:// session. You didn't specify any ldapi:// URI
    >> here and you didn't show what's in your ldap.conf file so presumably
    >> it's not using ldapi.
    >>
    >>>
    >>> I do have the modules installed (which I know is a common gotcha):
    >>>
    >>> cyrus at Debian-pre40-64-minimal:~$ dpkg --get-selections | grep sasl
    >>> libsasl2 install
    >>> libsasl2-2 install
    >>> libsasl2-modules install
    >>> libsasl2-modules-ldap install
    >>>
    >>> Any idea what I am missing?
    >>>
    >>> Do you have a 32 or 64 bit system?
    >>>
    >>> Regards,
    >>> Torsten
    >>>
    >>>
    >>
    >>


  • Next message: Torsten Schlabach: "Re: Sponsoring a canon_user plugin for LDAP lookup"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD