-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Feb 2006, Thomas Dickey wrote: [snip snip] > [EMAIL PROTECTED] openldap]# ldapsearch > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
That's probably the GSS-SPNEGO method, which may not be built into the SASL library on your host. > additional info: SASL(-4): no mechanism available: Your host and the ADS domain controllers can't agree on a common authentication mechanism. > This may be helpful.... > > [EMAIL PROTECTED] openldap]# ldapsearch -Z -x -s base -b "" > supportedSASLMechanisms > ldap_start_tls: Server is unavailable (52) > additional info: 00000000: LdapErr: DSID-0C090CF0, comment: Error > initializing SSL/TLS, data 0, vece It looks like your ADS LDAP server isn't set up to do STARTTLS. It can be - -- ours appears to be so configured. This may not be a big issue since it doesn't offer SASL PLAIN either. It depends on your confidence in the security of DIGEST-MD5 (if you use it) and your requirements for privacy of the actual query and response data. > # extended LDIF > # > # LDAPv3 > # base <> with scope base > # filter: (objectclass=*) > # requesting: supportedSASLMechanisms > # > > # > dn: > supportedSASLMechanisms: GSSAPI In practice this means Kerberos V. I use my own Kerberos ticket for binding to ADS all the time when doing my own searches. > supportedSASLMechanisms: GSS-SPNEGO Microsoft likes this one but I don't see much of it elsewhere. It can encapsulate native Windows authentication, IIRC. Possibly not so useful in your application. > supportedSASLMechanisms: EXTERNAL SASL consults some other service to validate credentials. You need to know a lot more about what it is expecting if you take this route. > supportedSASLMechanisms: DIGEST-MD5 Hashed password. I've used this to authenticate e.g. a web server that has no Kerberos keytab. > [EMAIL PROTECTED] openldap]# vi ldap.conf > > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > URI ldap://192.168.100.1 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > BASE dc=host,dc=domain,dc=com > HOST 192.168.100.1 You should use *either* HOST or URI but not both. I've gone with URI. In your case they seem to be giving exactly the same information, but I believe that HOST is deprecated. > scope sub > ldap_version 3 > BINDDN cn=dirsearch,cn=Users,dc=host,dc=domain,dc=com That should very likely be "cn=dirsearch,ou=Users,dc=host,dc=domain,dc=com". That is, Users is probably an organizational unit as is "Accounts" here, while dirsearch is a user object contained therein. - -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFD/IOHs/NR4JuTKG8RAgyTAKCUJao1Tk2iXOiPk41Qivoll4FhZACgjpJP sRKFGe9k6qYhktpRsYV6IvA= =pVyh -----END PGP SIGNATURE----- --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
