Hi Dan, Thanks so much for your help. I'm getting closer.
The ldapwhoami seems to work now. e...@starfish:~/ldif$ ldapwhoami -U erik -H ldaps://localhost/ SASL/PLAIN authentication started Please enter your password: SASL username: erik SASL SSF: 0 dn:uid=erik,cn=plain,cn=auth e...@starfish:~/ldif$ I can also run an ldapsearch to list the contents of my database: e...@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b 'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W -Y plain Enter LDAP Password: SASL/PLAIN authentication started SASL username: erik SASL SSF: 0 # extended LDIF # # LDAPv3 # base <ou=people, dc=lotspeich,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # people, lotspeich.org dn: ou=people,dc=lotspeich,dc=org objectClass: top objectClass: organizationalUnit ou: people . . *** DATA OMITTED! *** . # search result search: 2 result: 0 Success # numResponses: 136 # numEntries: 135 I have two questions/concerns: 1. If I leave the "-Y plain" option off of the argument list to ldapsearch, I get "Invalid credentials": e...@starfish:~/ldif$ ldapsearch -D 'uid=erik,cn=plain,cn=auth' -b 'ou=people, dc=lotspeich,dc=org' '(objectclass=*)' -H ldaps://localhost/ -W Enter LDAP Password: ldap_bind: Invalid credentials (49) e...@starfish:~/ldif$ I have a configuration file in /usr/local/sasl2 for slapd.conf; I tried adding one for ldapsearch: r...@starfish:/usr/lib/sasl2# cat ldapsearch.conf pwcheck_method: saslauthd mech_list: plain This didn't seem to make a difference in allowing me to authenticate without the "-Y" option. 2. I would like to use authenticated LDAP in Thunderbird. I set uid=erik,cn=plain,cn=auth as my Bind DN. It asked for my password, but always returned 'authentication failed'. I don't know if #1 or #2 are related. I know I must be missing something. From what I understand (which isn't much), I'm not using simple bind, so I don't need the mappings in my configuration file that you mentioned previously. Regards, Erik Dan White wrote: > On 29/09/10 10:19 -0500, Erik Lotspeich wrote: >> Hi Dan, >> >> I hope that I don't mind if I ask a follow-up question: >> >> r...@starfish:/usr/local/etc/openldap# testsaslauthd -u erik -p XXX -s >> slapd >> 0: OK "Success." >> >> That works, but when I run ldapwhami, it doesn't: >> >> r...@starfish:/usr/local/etc/openldap# ldapwhoami -Y login -U erik -H >> ldap://localhost >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: No worthy >> mechs found >> >> I did a search on the internet, and I ran this command: >> >> r...@starfish:/usr/local/etc/openldap# ldapsearch -x -ZZ -s base -b "" >> # extended LDIF >> # >> # LDAPv3 >> # base <> with scope baseObject >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # >> dn: >> objectClass: top >> objectClass: OpenLDAProotDSE >> >> # search result >> search: 3 >> result: 0 Success >> >> In other examples I've seen, mechanisms such as PLAIN or LOGIN or listed >> here. > > Make sure you have the appropriate sasl shared libraries installed on both > your server and your client (which appears to be the same according to your > examples from above). Use plugingview/saslpluginviewer to see which > server/client mechanisms you do have installed. > > For instance, on a Debian system you'd need to have the libsasl2-modules > package. > > If you do have those mechanisms installed but are still not seeing them in > the '-s base -b ""' search, make sure you've added 'sasl-secprops none' to > your openldap slapd.conf. >
