[389-users] saslauthd won't work

Rich Megginson rmeggins at redhat.com
Wed Jun 15 16:51:20 UTC 2011 

On 06/15/2011 09:45 AM, Gioachino Bartolotta wrote:
> Hi,
>
> no, I don't wanna use saslauthd with kerberos, but just authenticate
> users against ldap using tls or ssl ...
> Tried to configure samba using ldaps --- and it didn't work.
>
> smbd[10001]:   Failed to issue the StartTLS instruction: Operations error
>
> Any Idea??
>
> Thank you!
>
> 2011/6/15 Rich Megginson<rmeggins at redhat.com>:
>> On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote:
>>> Hi!
>>>
>>> Just a little problem about saslauthd with 389.
>>> When I try to execute:
>>>
>>> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w
>>> secret -ZZ  '(uid=u01209)'
>>>
>>> it returns
>>>
>>> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN
>>> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
>>> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS
>>> DIGEST-MD5
>>> ldap_int_sasl_open: host=dirsrv01.dominio
>>> SASL/EXTERNAL authentication started
>>> ldap_perror
>>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>>          additional info: SASL(-4): no mechanism available:
You did not specify the -x option - are you trying to use some form of 
SASL auth, or are you trying to use simple (i.e userDN/password) auth?  
If the latter, you have to specify the -x option.
>>>
>>> I configured /etc/sysconfig/saslauthd in this way
>>> -------------------------
>>> # Directory in which to place saslauthd's listening socket, pid file, and
>>> so
>>> # on.  This directory must already exist.
>>> SOCKETDIR=/var/run/saslauthd
>>>
>>> # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a
>>> list
>>> # of which mechanism your installation was compiled with the ablity to
>>> use.
>>> # MECH=pam
>>> MECH=ldap
>>> START=yes
>>> # Additional flags to pass to saslauthd on the command line.  See
>>> saslauthd(8)
>>> # for the list of accepted flags.
>>> FLAGS=
>>> ---------------------------------------------------
>>>
>>> What it's wrong??
>> I'm not sure.  What are you using saslauthd for?  Are you trying to allow
>> clients to use simple bind with their Kerberos passwords, rather than use
>> the password in the LDAP server?  If so, then you should use 389 with the
>> PAM Pass-Through Auth plugin, and setup pam_krb5.
>>> This is the configuration of /etc/openldap/ldap.conf
>>> ------------------------------------------
>>> #SIZELIMIT      12
>>> #TIMELIMIT      15
>>> #DEREF          never
>>> URI ldap://dirsrv01.dominio/
>>> BASE dc=dominio
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>> TLS_REQCERT allow
>>> ssl tls_start
>>> ---------------------------------------------------------
>>>
>>> Any Idea?
>>>
>>> Regards
>>
>
>

More information about the 389-users mailing list