Ralf Haferkamp wrote:
You (your client, whatever tool you used) tried to authenticate using the SASL/GSSAPI mechanism, but you server is not configured to use that mechanism. What tool were you using to access the LDAP server? If you were using the ldapsearch tool try adding the "-x" commandline switch to use simple authentication and see if that works. For details have a look in the ldapsearch man-page.
I was using the command listed below -- that YAST told me to use: ldapsearch -Y external -H ldapi:/// -b It doesn't say anything about an -x switch or a need to configure SASL/GSSAPI to make it work properly. Hasn't GSSAPI been deprecated non-fixable security flaws? I seem to remember it being a requirement a few years back, then heard it was dropped when some serious problems were found. But most of the vendors still seem to offer and use it...so I'm a little bit confused...?
If you were using another LDAP client, change that client's config to not try SASL/GSSAPI authentication. Or setup SASL/GSSAPI properly of course.
filling up my /var/log/messages.
Somehow I don't think this is right.
Anyone have any further clues on how to get this working?
I got YAB (yet another book) but the book got lost as soon as I went to my /etc/open-ldap/ dir and looked in slapd.conf and saw:
# Note: The OpenLDAP configuration has been created by YaST. YaST does not # use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore # YaST uses OpenLDAP's dynamic configuration database (back-config) to # store the LDAP server's configuration. # # A copy of the original /etc/openldap/slapd.conf file has been created as: # /etc/openldap/slapd.conf.YaSTsave # # To access the new configuration backend easily you can use SASL external # authentication. I.e. the following ldapsearch command, executed as the root # user, can be used to print the complete slapd configuration to stdout: # ldapsearch -Y external -H ldapi:/// -b cn=config --------- I tried this, but it doesn't work; ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
According to the GSSAPI error message above your LDAP server seems to be running. This error here indicates then, that the server is not listening on the ldapi:/// interface, or that you were not running ldapsearch on the same host as the LDAP server is running on. "ldapi" is base on Unix Domain Sockets, so it only works on the same host. Please check /etc/sysconfig/openldap (OPENLDAP_START_LDAPI=yes) if the "ldapi" listener ist enabled. If not, enable it, restart slapd and try again.
So...how come my backend isn't working and why do I feel rather silly asking why it isn't working on a suse list? What does this command give you:
ldapsearch -x -H ldap://
-b "" -s base +
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org