Re: Sponsoring a canon_user plugin for LDAP lookup

[Torsten Schlabach <tschlabach@xxxxxxx>]

SUCCESS!!

This works now for me as well!

Thank you Howard for developing this patch (which is now working for two 
people already) and a special thanks to Dan for helping out with his 
hints to the configuration.

I am really, really happy now.

One question remaining to Howard:

Is this patch supposed to be committed to be contained in the next 
version of the Cyrus SALS lib?

Regards,
Torsten

Dan White schrieb:
> Right. The SASL/EXTERNAL was a copy and paste error, the
> command was supposed to end with '...u:dwhite'. The -U
> was unnecessary. This command does the same thing:
>
> ldapwhoami -Y EXTERNAL -X u:dwhite
>
> The contents of my /etc/ldap/ldap.conf file are:
> =========
> BASE    dc=nodomain
> URI     ldapi:///
> =========
>
> and I forgot to mention that I modified /etc/default/slapd
> like so, so that slapd listens on ldapi:
>
> SLAPD_SERVICES="ldap:/// ldapi:///"
>
> - Dan
>
> Howard Chu wrote:
>
> > Torsten Schlabach wrote:
> >
> > > Hi Dan!
> > >
> > > Thank you for taking the time for that detailed writeup.
> > >
> > > I have taken a blank server with a fresh Debian Etch installation and 
> > > installed the very same packages you did. I did not yet apply the 
> > > patches as I wanted to make sure I get all that stuff right out of 
> > > the box before I did into canonicalization.
> > >
> > > Here is where I got stuck:
> > >
> > > cyrus@Debian-pre40-64-minimal:~$ ldapwhoami -Y EXTERNAL \
> > >  >  -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
> > >  >  -X u:dwhite SASL/EXTERNAL
> > > SASL/EXTERNAL authentication started
> > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > >         additional info: SASL(-4): no mechanism available:
> >
> >
> > The -U flag is not meaningful with SASL/EXTERNAL. The "SASL/EXTERNAL" 
> > at the end of your command is erroneous. (In Dan's email it was merely 
> > a mis-wrapped line of text output.)
> >
> > The EXTERNAL mechanism is only valid when you use an LDAP session that 
> > has an out-of-band mechanism for transmitting the client credentials 
> > to the server. That usually means a client certificate for TLS or 
> > IPSEC, or an ldapi:// session. You didn't specify any ldapi:// URI 
> > here and you didn't show what's in your ldap.conf file so presumably 
> > it's not using ldapi.
> >
> > > I do have the modules installed (which I know is a common gotcha):
> > >
> > > cyrus@Debian-pre40-64-minimal:~$ dpkg --get-selections | grep sasl
> > > libsasl2                                        install
> > > libsasl2-2                                      install
> > > libsasl2-modules                                install
> > > libsasl2-modules-ldap                           install
> > >
> > > Any idea what I am missing?
> > >
> > > Do you have a 32 or 64 bit system?
> > >
> > > Regards,
> > > Torsten