Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   saslauthd won't work (http://www.linux-archive.org/fedora-directory/540089-saslauthd-wont-work.html)

Gioachino Bartolotta 06-15-2011 01:02 PM

saslauthd won't work
 
Hi!

Just a little problem about saslauthd with 389.
When I try to execute:

ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
secret -ZZ '(uid=u01209)'

it returns

ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
ldap_int_sasl_open: host=dirsrv01.dominio
SASL/EXTERNAL authentication started
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:


I configured /etc/sysconfig/saslauthd in this way
-------------------------
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
# MECH=pam
MECH=ldap
START=yes
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=
---------------------------------------------------

What it's wrong??

This is the configuration of /etc/openldap/ldap.conf
------------------------------------------
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://dirsrv01.dominio/
BASE dc=dominio
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
ssl tls_start
---------------------------------------------------------

Any Idea?

Regards
--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth@email.it
Yahoo & Skype: gioachino_bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 06-15-2011 03:10 PM

saslauthd won't work
 
On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote:
> Hi!
>
> Just a little problem about saslauthd with 389.
> When I try to execute:
>
> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
> secret -ZZ '(uid=u01209)'
>
> it returns
>
> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
> ldap_int_sasl_open: host=dirsrv01.dominio
> SASL/EXTERNAL authentication started
> ldap_perror
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
>
> I configured /etc/sysconfig/saslauthd in this way
> -------------------------
> # Directory in which to place saslauthd's listening socket, pid file, and so
> # on. This directory must already exist.
> SOCKETDIR=/var/run/saslauthd
>
> # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
> # of which mechanism your installation was compiled with the ablity to use.
> # MECH=pam
> MECH=ldap
> START=yes
> # Additional flags to pass to saslauthd on the command line. See saslauthd(8)
> # for the list of accepted flags.
> FLAGS=
> ---------------------------------------------------
>
> What it's wrong??
I'm not sure. What are you using saslauthd for? Are you trying to
allow clients to use simple bind with their Kerberos passwords, rather
than use the password in the LDAP server? If so, then you should use
389 with the PAM Pass-Through Auth plugin, and setup pam_krb5.
> This is the configuration of /etc/openldap/ldap.conf
> ------------------------------------------
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> URI ldap://dirsrv01.dominio/
> BASE dc=dominio
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
> ssl tls_start
> ---------------------------------------------------------
>
> Any Idea?
>
> Regards

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 06-15-2011 04:51 PM

saslauthd won't work
 
On 06/15/2011 09:45 AM, Gioachino Bartolotta wrote:
> Hi,
>
> no, I don't wanna use saslauthd with kerberos, but just authenticate
> users against ldap using tls or ssl ...
> Tried to configure samba using ldaps --- and it didn't work.
>
> smbd[10001]: Failed to issue the StartTLS instruction: Operations error
>
> Any Idea??
>
> Thank you!
>
> 2011/6/15 Rich Megginson<rmeggins@redhat.com>:
>> On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote:
>>> Hi!
>>>
>>> Just a little problem about saslauthd with 389.
>>> When I try to execute:
>>>
>>> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
>>> secret -ZZ '(uid=u01209)'
>>>
>>> it returns
>>>
>>> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
>>> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
>>> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS
>>> DIGEST-MD5
>>> ldap_int_sasl_open: host=dirsrv01.dominio
>>> SASL/EXTERNAL authentication started
>>> ldap_perror
>>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>> additional info: SASL(-4): no mechanism available:
You did not specify the -x option - are you trying to use some form of
SASL auth, or are you trying to use simple (i.e userDN/password) auth?
If the latter, you have to specify the -x option.
>>>
>>> I configured /etc/sysconfig/saslauthd in this way
>>> -------------------------
>>> # Directory in which to place saslauthd's listening socket, pid file, and
>>> so
>>> # on. This directory must already exist.
>>> SOCKETDIR=/var/run/saslauthd
>>>
>>> # Mechanism to use when checking passwords. Run "saslauthd -v" to get a
>>> list
>>> # of which mechanism your installation was compiled with the ablity to
>>> use.
>>> # MECH=pam
>>> MECH=ldap
>>> START=yes
>>> # Additional flags to pass to saslauthd on the command line. See
>>> saslauthd(8)
>>> # for the list of accepted flags.
>>> FLAGS=
>>> ---------------------------------------------------
>>>
>>> What it's wrong??
>> I'm not sure. What are you using saslauthd for? Are you trying to allow
>> clients to use simple bind with their Kerberos passwords, rather than use
>> the password in the LDAP server? If so, then you should use 389 with the
>> PAM Pass-Through Auth plugin, and setup pam_krb5.
>>> This is the configuration of /etc/openldap/ldap.conf
>>> ------------------------------------------
>>> #SIZELIMIT 12
>>> #TIMELIMIT 15
>>> #DEREF never
>>> URI ldap://dirsrv01.dominio/
>>> BASE dc=dominio
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> TLS_REQCERT allow
>>> ssl tls_start
>>> ---------------------------------------------------------
>>>
>>> Any Idea?
>>>
>>> Regards
>>
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Anthony Messina 06-15-2011 08:10 PM

saslauthd won't work
 
On 06/15/2011 08:02 AM, Gioachino Bartolotta wrote:
> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
> secret -ZZ '(uid=u01209)'

If you are using the OpenLDAP ldapsearch, you might need to try:

ldapsearch -Y GSSAPI (then the rest of your search)



--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 06:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.