FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-15-2011, 01:02 PM
Gioachino Bartolotta
 
Default saslauthd won't work

Hi!

Just a little problem about saslauthd with 389.
When I try to execute:

ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
secret -ZZ '(uid=u01209)'

it returns

ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
ldap_int_sasl_open: host=dirsrv01.dominio
SASL/EXTERNAL authentication started
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:


I configured /etc/sysconfig/saslauthd in this way
-------------------------
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
# MECH=pam
MECH=ldap
START=yes
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=
---------------------------------------------------

What it's wrong??

This is the configuration of /etc/openldap/ldap.conf
------------------------------------------
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://dirsrv01.dominio/
BASE dc=dominio
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
ssl tls_start
---------------------------------------------------------

Any Idea?

Regards
--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth@email.it
Yahoo & Skype: gioachino_bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 03:10 PM
Rich Megginson
 
Default saslauthd won't work

On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote:
> Hi!
>
> Just a little problem about saslauthd with 389.
> When I try to execute:
>
> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
> secret -ZZ '(uid=u01209)'
>
> it returns
>
> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
> ldap_int_sasl_open: host=dirsrv01.dominio
> SASL/EXTERNAL authentication started
> ldap_perror
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
>
> I configured /etc/sysconfig/saslauthd in this way
> -------------------------
> # Directory in which to place saslauthd's listening socket, pid file, and so
> # on. This directory must already exist.
> SOCKETDIR=/var/run/saslauthd
>
> # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
> # of which mechanism your installation was compiled with the ablity to use.
> # MECH=pam
> MECH=ldap
> START=yes
> # Additional flags to pass to saslauthd on the command line. See saslauthd(8)
> # for the list of accepted flags.
> FLAGS=
> ---------------------------------------------------
>
> What it's wrong??
I'm not sure. What are you using saslauthd for? Are you trying to
allow clients to use simple bind with their Kerberos passwords, rather
than use the password in the LDAP server? If so, then you should use
389 with the PAM Pass-Through Auth plugin, and setup pam_krb5.
> This is the configuration of /etc/openldap/ldap.conf
> ------------------------------------------
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> URI ldap://dirsrv01.dominio/
> BASE dc=dominio
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
> ssl tls_start
> ---------------------------------------------------------
>
> Any Idea?
>
> Regards

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 04:51 PM
Rich Megginson
 
Default saslauthd won't work

On 06/15/2011 09:45 AM, Gioachino Bartolotta wrote:
> Hi,
>
> no, I don't wanna use saslauthd with kerberos, but just authenticate
> users against ldap using tls or ssl ...
> Tried to configure samba using ldaps --- and it didn't work.
>
> smbd[10001]: Failed to issue the StartTLS instruction: Operations error
>
> Any Idea??
>
> Thank you!
>
> 2011/6/15 Rich Megginson<rmeggins@redhat.com>:
>> On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote:
>>> Hi!
>>>
>>> Just a little problem about saslauthd with 389.
>>> When I try to execute:
>>>
>>> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
>>> secret -ZZ '(uid=u01209)'
>>>
>>> it returns
>>>
>>> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
>>> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
>>> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS
>>> DIGEST-MD5
>>> ldap_int_sasl_open: host=dirsrv01.dominio
>>> SASL/EXTERNAL authentication started
>>> ldap_perror
>>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>> additional info: SASL(-4): no mechanism available:
You did not specify the -x option - are you trying to use some form of
SASL auth, or are you trying to use simple (i.e userDN/password) auth?
If the latter, you have to specify the -x option.
>>>
>>> I configured /etc/sysconfig/saslauthd in this way
>>> -------------------------
>>> # Directory in which to place saslauthd's listening socket, pid file, and
>>> so
>>> # on. This directory must already exist.
>>> SOCKETDIR=/var/run/saslauthd
>>>
>>> # Mechanism to use when checking passwords. Run "saslauthd -v" to get a
>>> list
>>> # of which mechanism your installation was compiled with the ablity to
>>> use.
>>> # MECH=pam
>>> MECH=ldap
>>> START=yes
>>> # Additional flags to pass to saslauthd on the command line. See
>>> saslauthd(8)
>>> # for the list of accepted flags.
>>> FLAGS=
>>> ---------------------------------------------------
>>>
>>> What it's wrong??
>> I'm not sure. What are you using saslauthd for? Are you trying to allow
>> clients to use simple bind with their Kerberos passwords, rather than use
>> the password in the LDAP server? If so, then you should use 389 with the
>> PAM Pass-Through Auth plugin, and setup pam_krb5.
>>> This is the configuration of /etc/openldap/ldap.conf
>>> ------------------------------------------
>>> #SIZELIMIT 12
>>> #TIMELIMIT 15
>>> #DEREF never
>>> URI ldap://dirsrv01.dominio/
>>> BASE dc=dominio
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> TLS_REQCERT allow
>>> ssl tls_start
>>> ---------------------------------------------------------
>>>
>>> Any Idea?
>>>
>>> Regards
>>
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 08:10 PM
Anthony Messina
 
Default saslauthd won't work

On 06/15/2011 08:02 AM, Gioachino Bartolotta wrote:
> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
> secret -ZZ '(uid=u01209)'

If you are using the OpenLDAP ldapsearch, you might need to try:

ldapsearch -Y GSSAPI (then the rest of your search)



--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org