[Freeipa-users] LDAP only seems to allow anonymous access
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 29 08:37:01 UTC 2016
Don't answer directly, answer to the list.
On Mon, 29 Aug 2016, Harry Kashouli wrote:
>Gotcha, updated error below:
>
>$ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=admin
>SASL/GSSAPI authentication started
>SASL username: admin at OUTLAND.ZSAZOULI.COM
>SASL SSF: 56
>SASL data security layer installed.
>No such object (32)
>
>I know the user exists, cause I see the admin (and my other users) in the
>FreeIPA web UI, and kinit gives me a valid ticket
Did you replace $REALM above with the correct value? E.g.
ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=outland,dc=zsazouli,dc=com uid=admin
As you can see in the SASL output, the GSSAPI negotiation happened
successfully, the "No such object (32)" answer is LDAP return code which
is most likely due to wrong base used. If no object would exist, you'd
get empty successful result instead.
>
>-Harry
>
>On 29 August 2016 at 01:13, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
>> On Mon, 29 Aug 2016, Harry Kashouli wrote:
>>
>>> This is the error I get:
>>>
>>> ldapsearch -LLL GSSAPI -b cn=users,cn=accounts,$REALM uid=admin
>>> SASL/EXTERNAL authentication started
>>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>> additional info: SASL(-4): no mechanism available:
>>>
>>> You are using wrong syntax. To specify SASL mechanism, you need to use
>> -Y option:
>>
>> ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,$REALM uid=admin
>>
>>
>> --
>> / Alexander Bokovoy
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list