On 06/15/2011 09:45 AM, Gioachino Bartolotta wrote: > Hi, > > no, I don't wanna use saslauthd with kerberos, but just authenticate > users against ldap using tls or ssl ... > Tried to configure samba using ldaps --- and it didn't work. > > smbd[10001]: Failed to issue the StartTLS instruction: Operations error > > Any Idea?? > > Thank you! > > 2011/6/15 Rich Megginson<rmeggins@xxxxxxxxxx>: >> On 06/15/2011 07:02 AM, Gioachino Bartolotta wrote: >>> Hi! >>> >>> Just a little problem about saslauthd with 389. >>> When I try to execute: >>> >>> ldapsearch -d 1 -D "cn=Directory Manager" -h dirsrv01.dominio -w >>> secret -ZZ '(uid=u01209)' >>> >>> it returns >>> >>> ldap_sasl_interactive_bind_s: server supports: EXTERNAL GSSAPI PLAIN >>> LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5 >>> ldap_int_sasl_bind: EXTERNAL GSSAPI PLAIN LOGIN CRAM-MD5 ANONYMOUS >>> DIGEST-MD5 >>> ldap_int_sasl_open: host=dirsrv01.dominio >>> SASL/EXTERNAL authentication started >>> ldap_perror >>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >>> additional info: SASL(-4): no mechanism available: You did not specify the -x option - are you trying to use some form of SASL auth, or are you trying to use simple (i.e userDN/password) auth? If the latter, you have to specify the -x option. >>> >>> I configured /etc/sysconfig/saslauthd in this way >>> ------------------------- >>> # Directory in which to place saslauthd's listening socket, pid file, and >>> so >>> # on. This directory must already exist. >>> SOCKETDIR=/var/run/saslauthd >>> >>> # Mechanism to use when checking passwords. Run "saslauthd -v" to get a >>> list >>> # of which mechanism your installation was compiled with the ablity to >>> use. >>> # MECH=pam >>> MECH=ldap >>> START=yes >>> # Additional flags to pass to saslauthd on the command line. See >>> saslauthd(8) >>> # for the list of accepted flags. >>> FLAGS= >>> --------------------------------------------------- >>> >>> What it's wrong?? >> I'm not sure. What are you using saslauthd for? Are you trying to allow >> clients to use simple bind with their Kerberos passwords, rather than use >> the password in the LDAP server? If so, then you should use 389 with the >> PAM Pass-Through Auth plugin, and setup pam_krb5. >>> This is the configuration of /etc/openldap/ldap.conf >>> ------------------------------------------ >>> #SIZELIMIT 12 >>> #TIMELIMIT 15 >>> #DEREF never >>> URI ldap://dirsrv01.dominio/ >>> BASE dc=dominio >>> TLS_CACERTDIR /etc/openldap/cacerts >>> TLS_REQCERT allow >>> ssl tls_start >>> --------------------------------------------------------- >>> >>> Any Idea? >>> >>> Regards >> > > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
