devel - Fashion Content
2006-Sep-17 12:24 UTC
[Fedora-directory-users] How to make anonymous SASL work?
I seem quite stuck on getting the first step of setting up mail authentication.
I have a running directory and Cyrus-SASL installed, but I can''t get
the two to communicate properly.
For now I think anonymous access is fine as they are on the same server.
I tried ldapsearch, but it seems to fail quite basicly:
[root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b
"fashioncontent.com" cn=hvendelbo
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
[root@langham ~]# ldapsearch -X -Y
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
As I understand the message I need to configure some protocol on the server, but
I have no idea where or how??
Henrik
Morris, Patrick
2006-Sep-17 13:46 UTC
RE: [Fedora-directory-users] How to make anonymous SASL work?
> I seem quite stuck on getting the first step of setting up > mail authentication. > > I have a running directory and Cyrus-SASL installed, but I > can''t get the two to communicate properly. > > For now I think anonymous access is fine as they are on the > same server. > > I tried ldapsearch, but it seems to fail quite basicly: > > [root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b > "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > [root@langham ~]# ldapsearch -X -Y > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > As I understand the message I need to configure some protocol > on the server, but I have no idea where or how??It looks like you''re using the OpenLDAP version of ldapsearch and don''t have SAASL auth set up on the server. You can either pass the "-x" switch to ldapsearch to use plaintext auth, ot use the ldapsearch that comes with the directory server (probably in /opt/fedora-ds/shared/bin).
devel - Fashion Content
2006-Sep-17 13:51 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
I have cyrus-sasl installed and configured so I tried testsaslauthd which failed so I tried ldapsearch. Should I remove OpenLDAP, I thought sasl used the LDAP client. Henrik ----- Original Message ----- From: "Morris, Patrick" <patrick.morris@hp.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Sunday, September 17, 2006 2:46 PM Subject: RE: [Fedora-directory-users] How to make anonymous SASL work?>> I seem quite stuck on getting the first step of setting up >> mail authentication. >> >> I have a running directory and Cyrus-SASL installed, but I >> can''t get the two to communicate properly. >> >> For now I think anonymous access is fine as they are on the >> same server. >> >> I tried ldapsearch, but it seems to fail quite basicly: >> >> [root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b >> "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> [root@langham ~]# ldapsearch -X -Y >> SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> As I understand the message I need to configure some protocol >> on the server, but I have no idea where or how?? > > > It looks like you''re using the OpenLDAP version of ldapsearch and don''t > have SAASL auth set up on the server. > > You can either pass the "-x" switch to ldapsearch to use plaintext auth, > ot use the ldapsearch that comes with the directory server (probably in > /opt/fedora-ds/shared/bin). > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
devel - Fashion Content
2006-Sep-17 14:20 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
>> As I understand the message I need to configure some protocol >> on the server, but I have no idea where or how?? > > > It looks like you''re using the OpenLDAP version of ldapsearch and don''t > have SAASL auth set up on the server.Yes, but how do I set up SASL auth. What doc describes it in less than 100 pages. Also, why shouldnt the OpenLDAP client be able to talk to Fedora DS ?> > You can either pass the "-x" switch to ldapsearch to use plaintext auth, > ot use the ldapsearch that comes with the directory server (probably in > /opt/fedora-ds/shared/bin). > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
devel - Fashion Content
2006-Sep-17 14:23 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
[root@langham ~]# /opt/fedora-ds/shared/bin/ldapsearch -x /opt/fedora-ds/shared/bin/ldapsearch: error while loading shared libraries: libssldap50.so: cannot open shared object file: No such file or directory The libssldap50.so is present with rx access to all ----- Original Message ----- From: "Morris, Patrick" <patrick.morris@hp.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Sunday, September 17, 2006 2:46 PM Subject: RE: [Fedora-directory-users] How to make anonymous SASL work?>> I seem quite stuck on getting the first step of setting up >> mail authentication. >> >> I have a running directory and Cyrus-SASL installed, but I >> can''t get the two to communicate properly. >> >> For now I think anonymous access is fine as they are on the >> same server. >> >> I tried ldapsearch, but it seems to fail quite basicly: >> >> [root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b >> "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> [root@langham ~]# ldapsearch -X -Y >> SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> As I understand the message I need to configure some protocol >> on the server, but I have no idea where or how?? > > > It looks like you''re using the OpenLDAP version of ldapsearch and don''t > have SAASL auth set up on the server. > > You can either pass the "-x" switch to ldapsearch to use plaintext auth, > ot use the ldapsearch that comes with the directory server (probably in > /opt/fedora-ds/shared/bin). > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Richard Megginson
2006-Sep-17 15:53 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
devel - Fashion Content wrote:>>> As I understand the message I need to configure some protocol >>> on the server, but I have no idea where or how?? >> >> >> It looks like you''re using the OpenLDAP version of ldapsearch and don''t >> have SAASL auth set up on the server. > > Yes, but how do I set up SASL auth. What doc describes it in less than > 100 pages. > Also, why shouldnt the OpenLDAP client be able to talk to Fedora DS ?It is - see below> >> >> You can either pass the "-x" switch to ldapsearch to use plaintext auth, >> ot use the ldapsearch that comes with the directory server (probably in >> /opt/fedora-ds/shared/bin)./usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... ldapsearch by default will attempt a SASL bind, using the best mechanism available. To disable this behavior, and force the openldap command line tools to use SIMPLE binddn/password auth, you have to specify the -x argument.>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
devel - Fashion Content
2006-Sep-17 19:42 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
>> >> You can either pass the "-x" switch to ldapsearch to use plaintext auth, >> ot use the ldapsearch that comes with the directory server (probably in >> /opt/fedora-ds/shared/bin)./usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... ldapsearch by default will attempt a SASL bind, using the best mechanism available. To disable this behavior, and force the openldap command line tools to use SIMPLE binddn/password auth, you have to specify the -x argument.>>Ok tried that and it seemed to work except I can''t get it to return any data (I have 3 users defined) when I use the ldapsearch which comes with fedora-ds. The OpenLDAP ldapsearch works as expected. testsaslauthd still doesn''t work though. I must admit it seems a bit worrying that a vanilla mailserver setup is this hard. Am I the only one that would use Fedora DS for authenticating IMAP users? Henrik
Richard Megginson
2006-Sep-17 23:19 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
devel - Fashion Content wrote:>>> >>> You can either pass the "-x" switch to ldapsearch to use plaintext >>> auth, >>> ot use the ldapsearch that comes with the directory server (probably in >>> /opt/fedora-ds/shared/bin). > /usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... > > ldapsearch by default will attempt a SASL bind, using the best mechanism > available. To disable this behavior, and force the openldap command > line tools to use SIMPLE binddn/password auth, you have to specify the > -x argument. >>> > > Ok tried that and it seemed to work except I can''t get it to return > any data (I have 3 users defined) when I use the > ldapsearch which comes with fedora-ds. The OpenLDAP ldapsearch works > as expected.Can you post the exact command lines that you used and the output you got?> > testsaslauthd still doesn''t work though.I''m not really sure what that does. Fedora DS supports SASL - EXTERNAL (i.e. client cert auth, if you configure the server for SSL), DIGEST-MD5 (with clear text passwords in the db), and GSSAPI (i.e. Kerberos).> I must admit it seems a bit worrying that a vanilla mailserver setup > is this hard. > Am I the only one that would use Fedora DS for authenticating IMAP users? > > Henrik > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
devel - Fashion Content
2006-Sep-18 17:19 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
I have the mailserver and the directory on the same server. I have installed OpenLDAP client & libs and cyrus sasl. Fedora DS ldapsearch is not on the path. The Fedora DS now stores userPasswords as plaintext. saslauthd run with: MECH=ldap, FLAGS=-c saslauthd.conf: ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=People,dc=fashioncontent,dc=com ldap_bind_dn: cn=Directory Manager,dc=fashioncontent,dc=com ldap_bind_pw: secret ldap_filter: (&(objectClass=inetorgperson)(uid=%u)) ldap_use_sasl: no ldap_auth_method: bind ldap_version: 3 ldap_debug: 3 ldap_verbose: on log_level: 255 OpenLDAP ldapsearch: Shows userPassword results hashed, but otherwise shows the users I look up OpenLDAP ldapsearch userPassword=secret: Success Fedora ldapsearch: Fails to find anything testsaslauthd -u devel -p secret: Fails to find anything, error code 32 I think I haven''t figured out how to make saslauthd report the ldap queries, so I know very little of what happens and the Fedora logs don''t appear to help much more. Henrik
Richard Megginson
2006-Sep-21 14:57 UTC
Re: [Fedora-directory-users] How to make anonymous SASL work?
devel - Fashion Content wrote:> I have the mailserver and the directory on the same server. > > I have installed OpenLDAP client & libs and cyrus sasl. > Fedora DS ldapsearch is not on the path. > The Fedora DS now stores userPasswords as plaintext. > > saslauthd run with: MECH=ldap, FLAGS=-c > > saslauthd.conf: > > ldap_servers: ldap://127.0.0.1 > ldap_search_base: ou=People,dc=fashioncontent,dc=com > ldap_bind_dn: cn=Directory Manager,dc=fashioncontent,dc=com > ldap_bind_pw: secret > > ldap_filter: (&(objectClass=inetorgperson)(uid=%u)) > ldap_use_sasl: no > ldap_auth_method: bind > ldap_version: 3 > ldap_debug: 3 > ldap_verbose: on > log_level: 255 > > > OpenLDAP ldapsearch: Shows userPassword results hashed, but otherwise > shows the users I look up > OpenLDAP ldapsearch userPassword=secret: Success > Fedora ldapsearch: Fails to find anything > testsaslauthd -u devel -p secret: Fails to find anything, error code > 32 I thinkIt would be helpful if you could post the exact ldapsearch command line that you used both for openldap and for fedora ds, along with the exact output, or an excerpt of a few lines at least.> > I haven''t figured out how to make saslauthd report the ldap queries, > so I know very little of what happens and the Fedora logs > don''t appear to help much more.The fedora ds access log will show the tcp socket connection/disconnection and peer IP address, the BIND request and result, and the SRCH request and result. If you need help interpreting the log output, please post an excerpt to this list.> > Henrik > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users