Ah, the SASL mechanism is it... I had not configured the sasl-secprops
to disable the SASL mechanisms that are not configured. In OL 2.2,
attempting to use a mechanism that was not configured (/etc/sasldb2
doesn't exist) resulted in error code 80 (0x50 -- Internal Error). And
that triggered the Mac to fall back and try a simple bind.
OL 2.3, in the same scenario returns error code 49 (0x31 -- Invalid
Credentials) -- As far as I'm concerned, that's a lie... However, I'm
certain someone discussed this on the developers list (which I don't
follow closely) and it was decided that a failure because the SASL
mechanism is not properly implemented should be deemed to be the same as
if the mechanism was implemented and returned a failure.
Since I use [EMAIL PROTECTED] (aka spasswd) to validate the passwords
against the Kerberos environment and do provide GSSAPI mechanism, the
trick for me was to find the correct setting of sasl-secprops to disable
all the other SASL mechanisms that roll along for "free" with the RedHat
installation.
fix: I needed to add
sasl-secprops noplain,noanonymous,noactive
to my slapd.conf file.
Frank
On 2/11/06 6:43 PM, Aaron Richton wrote:
If you're expecting the Macs to do simple binds, they're probably not.
(They probably did in earlier 2.3/2.2, but that was a bug in slapd.)
Either configure OpenLDAP to accept SASL binds, recompile --without-sasl,
or fake it with
access to dn.exact="" attrs=supportedSASLMechanisms by * none
any one of which will force DSLDAPv3 to downgrade to a simple bind.
On Fri, 10 Feb 2006, Francis Swasey wrote:
I have just gotten clobbered because I completed upgrading the last of
the ldap servers to 2.3.19 today and immediately all the Mac's on campus
were unable to authenticate....
Anyone else experience problems with Mac's authenticating against
OpenLDAP 2.3 when they were able to with OpenLDAP 2.2?
--
Frank Swasey | http://www.uvm.edu/~fcs
Senior IT Professional | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
