openldap config

[jimbo]

Hi All,

I'm trying to implement an ldap contact list and am having a heck of a time.

I've got the ldap server running and can get a good response with the following command:

Code:

[root@grower:/etc/openldap] ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=fullcirclefarm,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

but when I go to add entries into the database I get the following error:

Code:

[root@grower:/etc/openldap] ldapadd -D "cn=root"

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)

I'm assuming this is an authentication problem with SASL but how do I sort this out. I haven't been able to find any decent documentation on this issue except for setting up ldap as a server authentication method... which is what I don't want. I just want a simple address book!

Any suggestions?

[Rolled_Gold]

If your running FC2 please post the contents of your /etc/sysconfig/saslauthd file.

[jimbo]

This one happens to be on FC1 and there isn't an /etc/sysconfig/saslauthd file.
Although there is the corresponding saslauthd init script in /etc/init.d... which is running

What might the contents of the file look like?

[Rolled_Gold]

I think the init script will source /etc/sysconfig/saslauthd if it's there in FC1 (going from memory on this). If so you can modify what auth method sasl will do with this line MECH=METHOD (Choose one: getpwent kerberos5 pam rimap shadow ldap).

It looks like is your auth method isn't setup properly. How did you want to do it? PAM is easy but you'll have to start creating shell accounts for all users or get something like pam_mysql. You could point it back towards ldap (if your schema supports auth, but you'll need to bootstrap with another method first). The default behavior for saslauth on FC1 (going from memory again) is inside sasldb.

Trouble shoot the problem with /usr/sbin/testsaslauthd. Once you can authenticate with that command you should be able to update your ldap schema (maybe 8).

[jimbo]

OK, I've set METHOD=pam in /etc/sysconfig/saslauthd and restarted the service.

I tested with /usr/sbin/testsaslauthd and passed the username and password and recieved:

Code:

0: OK "Success."

So saslauth seems to be working.

I restarted ldap for good measure and tried to add a new entry with the following results:

Code:

[root@grower:/etc/openldap] ldapadd -f ./myldif.ldif -xv -D "cn=root,dc=fullcirclefarm,dc=com" -W
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Any ideas?

PS Thanks for the help!

[jimbo]

OK, I might be on to something... I removed the package cyrus-sasl-gssapi.

Now when I try the following:

Code:

ldapadd -D "cn=root" -h localhost
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-13): user not found: no secret in database

So it looks like I need to tell ldap which sasl mech to use. How do I do that? I don't see anything in /etc/openldap/slapd.conf that looks remotely like such a setting.

Thanks again for your help so far Rolled_Gold!

[Rolled_Gold]

Unfortunately that is where my knowledge ends...

Perhaps some one else can step in.

[beta2]

I guess you use the non-crypted password. If you specify -x command option for 'ldapadd', it should be ok