I had set up a secured TLS with all the certificates and keys needed. But still, I cannot login using SASL and PLAIN/LOGIN mechanisms over TLS. The user in the example has the userPassword hashed in MD5. See errors below:
>ldapsearch -h localhost:9999 -Y PLAIN -w pass1 -U user1 -b dc=my-domain,dc=com -s base -ZZ SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed >ldapsearch -h localhost:9999 -Y LOGIN -w pass1 -U user1 -b dc=my-domain,dc=com -s base -ZZ SASL/LOGIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: checkpass failed Using cleartext password solves the problem but this is not what I am trying to do. Just a reminder of what I am trying to achieve: In the database I want the userPassword field to be hashed and the bind authentication will be against it using the authz-regexp directive in slapd.conf. Using DIGEST-MD5 SASL doesn't help here because the userPassword needs to be in cleartext in the database. Yet again, any help will be appreciated. Zohar On 10/23/07, Dieter Kluenter <[EMAIL PROTECTED]> wrote: > > "Zohar Lev Shani" <[EMAIL PROTECTED]> writes: > > > OK, got that. > > > > Now I am trying a different SASL configuration, and I have these > > mechanisms available: > > > >> ldapsearch -h localhost:9999 -x -b '' supportedSASLMechanisms -s base > -LLL > > dn: > > supportedSASLMechanisms: LOGIN > > supportedSASLMechanisms: PLAIN > > > > With the same data, I tried running ldapsearch with SASL and got that > > there are no SASL mechanisms available. > > > >> ldapsearch -h localhost:9999 -Y PLAIN -U user1 -w pass1 -LLL -b > cn=user1,cn=users,dc=my-domain,dc=com > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > additional info: SASL(-4): no mechanism available: No worthy > mechs found > > > > Same goes for '-Y LOGIN'. > > > > What am I missing here? > > OpenLDAP only supports PLAIN and LOGIN if data transport is secured > that is either by TLS or local pipe. Install sasl libdigestmd5 and > libcrammd5 to provide shared secret security. > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://www.dkluenter.de > GPG Key ID:8EF7B6C6 >