Example: /usr/local/bin/ldapsearch -Y digest-md5 -U herm14266x -s base -b "" If things are set for digest-md5 use for the user in the directory (see the opneldap doc), you should be able to get a good sasl bind (if sasl is working ok). The ldapsearch you showed was a simple bind as opposed to a sasl bind which might use gssapi (AD, krb5), digest/cram-md5, etc... Note that ldap+sasl validation is kind of jumping sasl checks on its own. If it works, then you MIGHT be able to think all of sasl is ok. Others can say with more certainty if that is the case. Check this next statement with openldap doc, as I recall digest/cram-md5 required the password (shared secret if you prefer) be stored in cleartext in the directory. Not sure if that is an issue in this case. The slapd.conf passwd is the rootdn passwd, which is not required, you can use sasl mechs for this instead (see the openldap doc, many many options here). -----Original Message----- From: Shelley Waltz [mailto:shwaltz@xxxxxxxxxxxxxxxx] Sent: Monday, November 26, 2007 1:31 PM To: Chapman, Kyle Cc: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx Subject: RE: LDAP auth failure installed [root@roadrunner src]# rpm --install cyrus-sasl-ldap-2.1.22-4.i386.rpm [root@roadrunner src]# rpm --install cyrus-sasl-md5-2.1.22-4.i386.rpm and stop/start ldap and saslauthd results are the same. regarding doing sasl binds with ldapsearch, I am somewhat confused. the rootdn == roadrunner.cabm.rutgers.edu password in the slapd.conf file is in {MD5}, however, the userPassword for each uid are in {CRYPT} in my LDAP database. What ldapsearch? On Mon, 26 Nov 2007, Chapman, Kyle wrote: Your first ldapsearch example was with a non sasl bind (-x). Try ldapsearch -Y <sasl mech> <other params> Looks like digest/cram-md5, gssapi mechs are not installed (at least via rpm???) Perhaps installing these may help as well: cyrus-sasl-ldap-2.1.22-4 cyrus-sasl-md5-2.1.22-4 To be clear, all this will do is validate that ldap+sasl is working ok, so do any of the other samples for sasl work (im used to the src build where the test stuff is under 'sample'). -----Original Message----- From: Shelley Waltz [mailto:shwaltz@xxxxxxxxxxxxxxxx] Sent: Monday, November 26, 2007 12:26 PM To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx; Chapman, Kyle Subject: RE: LDAP auth failure [root@roadrunner openldap]# rpm -qa|grep sasl cyrus-sasl-lib-2.1.22-4 cyrus-sasl-2.1.22-4 cyrus-sasl-devel-2.1.22-4 cyrus-sasl-plain-2.1.22-4 I mentioned that the md5 password for the rootdn does indeed work in my "luma" ldap browser/editor as well with ldapsearch non-anonymously. On Mon, 26 Nov 2007, Chapman, Kyle wrote: Is the digest-md5 or other sasl mechs installed (some distros did the mechs as sep rpms, don't recall what RH did)? Can you do any sasl binds with ldapsearch with the dn of: cn=waltz_shelley,dc=cabm.rutgers,dc=edu NOTICE: This E-mail may contain confidential information. If you are not the addressee or the intended recipient please do not read this E-mail and please immediately delete this e-mail message and any attachments from your workstation or network mail system. If you are the addressee or the intended recipient and you save or print a copy of this E-mail, please place it in an appropriate file, depending on whether confidential information is contained in the message.
