Can't make SLES 9 OpenLDAP work with TLS/SSL

Tue, 27 Mar 2007 07:35:13 -0800 

[I posted this to the Novell novell.support.sles.configure-administer 
discussion group, but have not received any response.  As I have an end-of-week 
deadline to get this working, I'm re-posting it to this mailing list, with 
apologies.]

Hi

I'm trying to use the SLES 9 SP3 OpenLDAP server with TLS.  I've read the 
LDAP chapter (Chapter 21) of the 'SuSE Linux Enterprise Server 9 
Administration and Installation Guide', as well as much of "OpenLDAP 
Software 2.3 Administrator's Guide".  I've used the YaST LDAP Server 
Configuration utility, and have enabled TLS support.

When I run ldapsearch with simple authentication, the command does return 
the request output:
# ldapsearch -x -b dc=backup

But then I run the command in the default SASL mode, I get:

# ldapsearch -x -b dc=backup
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-13): user not found: no secret in database
# 

I see two problems:

1) DIGEST-MD5 is being used, and believe I want EXTERNAL (which, I think, 
calls TLS) to be used.  I see that /usr/lib/sasl2/slapd.conf 
contains "mech_list: gssapi digest-md5 cram-md5".  I don't see 'external' 
in the list.  Should I just add it?  If so, why wasn't this done by YaST 
automatically?
2) the error message contains, "user not found: no secret in database".  
What users is being referred to, and what/where is this database?

Finally, I've noted what could be a bug.  The sample applications 
(sample_client and sample_server) are not present in the SLES 9 'cyrus-
sasl' package, but they are present in the SLES 10 'cyrus-sasl' package.

If this is documented somewhere, please point me to it.  I sure don't find 
what I need in the SLES documentation.

Thanks for the help!
tl


Terry Lemons
Backup Platforms Group
EMC² 
where information lives
4400 Computer Drive, MS D239
Westboro MA 01580
Phone: 508 898 7312
Email: [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to