Sorry, I've been busy working on another project....
But before working on the other project, I was able to replicate from master to
slave LDAP servers with simple and the plain text passwd in the
/etc/openldap/slapd.conf file.
Now that I have time to continue with LDAP, I was wondering if there are any
Howto's for LDAP, SSL, with SASL, without Kerberos. I don't want to have the
passwd in plain text in the configuration file.
I have the following in my /etc/openldap/slapd.conf file for the replica piece
replica host=server2.pro-unlimited.com:389
suffix="dc=pro-unlimited,dc=com"
binddn="uid=replicator,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com"
tls=yes
bindmethod=sasl
authcid=replicator
credentials={MD5}iNv5bh4HOx5hLd+CWDcfZw==
saslmech=digest-md5
yet, when I ran slurpd in debug mode, after the SSL passed, I get the message
that says
"Error: LDAP SASL for <server2>.pro-unlimited.com:389 failed: Authentication
method not supported"
I have even tried putting this on my master LDAP server and the slave
sasl-realm <server1>.pro-unlimited.com
sasl-regexp uid=(.*),cn=.*,cn=.*,cn=auth cn=$1,ou=people,dc=pro-unlimited,dc=com
Yet, I still get the same error message as above.
I've even created the user in the /etc/sasldb on the master and the slaves LDAP
servers
[EMAIL PROTECTED] openldap]# sasldblistusers
user: replicator realm: server1.pro-unlimited.com mech: PLAIN
user: replicator realm: server1.pro-unlimited.com mech: CRAM-MD5
user: replicator realm: server1.pro-unlimited.com mech: DIGEST-MD5
[EMAIL PROTECTED] openldap]# sasldblistusers
user: replicator realm: server2.pro-unlimited.com mech: PLAIN
user: replicator realm: server2.pro-unlimited.com mech: CRAM-MD5
user: replicator realm: server2.pro-unlimited.com mech: DIGEST-MD5
[EMAIL PROTECTED] openldap]# sasldblistusers2
[EMAIL PROTECTED]: userPassword
Can someone point me in a direction, hints, or howto's?
Thanks,
Steven
----- Original Message ----
From: Howard Chu <[EMAIL PROTECTED]>
To: Aaron Richton <[EMAIL PROTECTED]>
Cc: Steven Wong <[EMAIL PROTECTED]>; openLDAP software
<[email protected]>
Sent: Tuesday, July 18, 2006 3:27:58 PM
Subject: Re: slurpd -d9 --- Invalid credentials
Aaron Richton wrote:
>> Just curious, anyway I can use encrypted passwd for the proxyuser
>> also? This passwd is currently in /etc/ldap.secret with perm 0600 in
>> clear text. I've read that this has to be on every system (ldap
>> server or client).
>
> Whenever you are using a simple bind mechanism, you will need to store
> the credentials in plaintext or the moral equivalent of plaintext.
> This applies for replication, proxyuser, Any Old User Off The Street,
> etc., so long as they're using simple bind.
Not just simple bind. Also for SASL/DIGEST-MD5, i.e., any mech that
ordinarily prompts the user for a password.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
