[389-users] saslauthd won't work

[Rich Megginson]

On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote:
> Hi!
>
> Just a little problem about saslauthd with 389.
> When I try to execute:
>
> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
> secret -ZZ  '(uid=u01209)'
>
> it returns
>
> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
> ldap_int_sasl_open: host=dirsrv01.dominio
> SASL/EXTERNAL authentication started
> ldap_perror
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>          additional info: SASL(-4): no mechanism available:
>
>
> I configured /etc/sysconfig/saslauthd in this way
> -------------------------
> # Directory in which to place saslauthd's listening socket, pid file, and so
> # on.  This directory must already exist.
> SOCKETDIR=/var/run/saslauthd
>
> # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
> # of which mechanism your installation was compiled with the ablity to use.
> # MECH=pam
> MECH=ldap
> START=yes
> # Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
> # for the list of accepted flags.
> FLAGS=
> ---------------------------------------------------
>
> What it's wrong??
I'm not sure.  What are you using saslauthd for?  Are you trying to 
allow clients to use simple bind with their Kerberos passwords, rather 
than use the password in the LDAP server?  If so, then you should use 
389 with the PAM Pass-Through Auth plugin, and setup pam_krb5.
> This is the configuration of /etc/openldap/ldap.conf
> ------------------------------------------
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> URI ldap://dirsrv01.dominio/
> BASE dc=dominio
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
> ssl tls_start
> ---------------------------------------------------------
>
> Any Idea?
>
> Regards