Re: noob on slapd with sasl errors

If I may share advice based on my own trials & tribulations with LDAP
authentication:

You've just hit on a major issue. LDAP is a a critical technology for
people who need network authentication and the current state of
documentation for implementing it is depressing. Partly the problem
lies in the fact that it is difficult to set bounds around what LDAP
does/doesn't/can/can't provide. Although frequently discussed in the
context of network authentication, LDAP really is just a protocol used
to access a directory of information over a network. In the context
of network authentication, the directory contains information about
users, credentials (passwords), etc. However the directory can be
anything--address book, whatever.

With regards to implementing an LDAP-based network authentication
system, there is a lot of mixed, confilicting information out there.
Much of it tends to be specific to the author's situation. You really
have to sort through it and experiment a few times to get a handle on
how the whole thing works to get a feel for what information to
discard and what to keep.

Here's some LDAP information on the Debian wiki:
http://wiki.debian.org/LDAPAuthentication

Be warned it's a mess--mostly a collection of resources. It's
anything but a walkthrough.

Also, O'Reilly's Linux Server Hacks Volume 2 (http://tinyurl.com/h9nsq
-- not sure if it's available in Germany/Deutsch) has a chapter on
using LDAP for Network Authentication. I haven't tried implementing
it from that book, but it looks pretty good. It may be worth browsing
at a bookstore to see if it looks helpful.

Based on my experience, I would make the following recommendations:

*Start with a fresh system. Migrating user/group accounts is
possible, but more complicated
*Get LDAP going first, then fuss with SSL/TLS
*Work with a couple of sacrificial machines, rather than production
systems. If you can't spare the machines, give VMWare Server a try.
It's free, and Ubuntu runs well on it.
*Be willing to start over multiple times.
*When you're configuring slapd, make sure you understand all
directives you're using. *Even if that means running down an
explanation one directive at a time. Every directive exists for a
reason. What applies to one person's situation may not apply to
yours. Only when you understand each and every line in your
slapd.conf can you achieve true Zen.

LDAP authentication really isn't all that hard. It's just that you
have to have a working vocabulary to make sense of most of the
documentation out there. You have to get your hands dirty and break
it a few times in order to build a vocabulary.

Good luck

On 9/12/06, Kaiser, Hans <r_2@xxxxxx> wrote:


> Hello,

I am currently switching dapper to ldap authentication, but after only
few steps I have to give up...

I have configured my slapd.conf like it is presented here:
http://www.howtoforge.com/linux_ldap_authentication

I got stuck with the first ldapsearch command.
ldapsearch -D "cn=Manager,dc=domain,dc=com" -W
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
additional info: SASL(-13): user not found: no secret in database

and the log files tells me:
SASL [conn=1] Failure: no secret in database
conn=1 op=2 RESULT tag=97 err=80 text=SASL(-13): user not found: no
secret in database

Hope someone can help me....
I have no idea how sasl works and why it is needed here, or even more,
how to configure it.

regards


Try adding -x to your ldapsearch command to use simple authentication
instead of SASL, i.e;
ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -W

Thanks, I will try it!
Anyway is there a howto, which describes the configuration, which is needed
to work properly with/without sasl?
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users





--
If you reply to a message I posted in a mailing list thread,
There's a chance I may not see your response. Feel free to
address me directly in the 'To:', in addition to posting to the list.

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)
  • Re: Directory Services, LDAP or similar
    ... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ...
    (borland.public.delphi.non-technical)
  • No more logins after upgrade to deb 5.0
    ... After upgrading from Debian 4.x to 5.x without any further configuration attempts my LDAP Authentication configuration fails. ... If an LDAP Administrator resets that users password and/or as long their ldap password is not expired the user can login anywhere just fine. ...
    (Debian-User)
  • Re: Recommended strategy for providing access to web apps via Inte
    ... LDAP is an ugly solution on the public internet, ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • cyrus-imapd sasl ldap
    ... i have been trying to install the cyrus-imapd to authenticate ... through sasl and i need sasl read it data from a ldap server. ...
    (comp.mail.imap)