LDAP+SASL

Michael Peek peek at tiem.utk.edu
Fri Feb 20 05:55:46 UTC 2009 

Norberto Bensa wrote:
> On Thu, Feb 19, 2009 at 8:49 PM, Michael Peek <peek at tiem.utk.edu> wrote:
>   
>> But the mac still fails to bind.  I'm telling the mac to bind with
>> cn=admin,dc=nimbios,dc=org, and giving it the password for the directory
>> admin.  Here's the output from slapd:
>>
>>     
>
> What mechs are available?
>
> $ ldapsearch -LLL -s base -b '' '(objectClass=*)' supportedSASLMechanisms
>   

# ldapsearch -LLL -s base -b '' '(objectClass=*)' supportedSASLMechanisms
SASL/CRAM-MD5 authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: GSSAPI

>
> Are you sure your Mac looks for the entry:
> uid=admin,cn=one-available-mech,cn=auth ? This one will be shown with
> "loglevel trace".
>
> This is what "loglevel trace" plus a "grep auth" gives me:
>
> Feb 19 21:13:11 zeddmore slapd[25108]: slap_sasl_getdn: u:id converted
> to uid=zoolook,cn=BENSA.AR,cn=GSSAPI,cn=auth
>   

Here's what I see:

# grep auth /var/log/messages
castor slapd[19684]: slap_sasl_getdn: u:id converted to 
uid=admin,cn=CRAM-MD5,cn=auth
castor slapd[19684]: >>> dnNormalize: <uid=admin,cn=CRAM-MD5,cn=auth>
castor slapd[19684]: <<< dnNormalize: <uid=admin,cn=cram-md5,cn=auth>
castor slapd[19684]: ==>slap_sasl2dn: converting SASL name 
uid=admin,cn=cram-md5,cn=auth to a DN

My admin entry in LDAP looks like this:

dn: cn=admin,ou=People,dc=nimbios,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP administrator
userPassword: {SSHA}<stuff>
cn: admin

I thought maybe the problem was the use of cn= rather than uid=, but my 
LDAP editor won't let me change cn=admin to uid=admin, nor will it allow 
me to create a new entry with uid=admin.  Does that sound like a problem?

> As you can see, the first cn= is the REALM, and the second, the mech.
> I remember having problems in a all-Linux network and I added a second
> authz-regexp. This is what I have here:
>   

I added the second regexp as well, thanks for the advice.

Thanks for your help,

Michael

More information about the ubuntu-users mailing list