Re: ldapsearch utility

Tue, 07 Jan 2020 08:38:07 -0800 

Hi Quanah,
        Thank you for your response. I figured what you said in your
response, and I have another question about the SASL. I have a ldap testing
server, let's say the url is test.sample.net, and when I run the following
command:
ldapsearch -H ldap://test.sample.net:389 -x -b "" -s base -LLL
supportedSASLMechanisms
it returned:
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
then I run the command:
ldapsearch -H ldap://test.sample.net:389 -Y DIGEST-MD5
then it prompt:
SASL/DIGEST-MD5 authentication started
Please enter your password:
I give a password, then it prompt:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
 additional info: SASL(-13): user not found: no secret in database

so question here, what password it asked here? since it's not asking for a
DN. There could be many credentials here, will the server figure out the
user by the password input?

Thank you!

Peter

On Mon, Jan 6, 2020 at 8:17 PM Quanah Gibson-Mount <[email protected]> wrote:

>
>
> --On Tuesday, December 31, 2019 10:44 AM -0500 Peter Sui <[email protected]>
>
> wrote:
>
> > if I run:
> > ldapsearch -h ldap.forumsys.com -p 636 -b "" -s base "(objectClass=*)"
> -D
> > "cn=read-only-admin,dc=example,dc=com"  -w password -Z
>
> It is not valid to combine startTLS with port 636.  Also, you should
> update
> your options to match modern standards.
>
>
> Example against ldaps:///
>
> ldapsearch -H ldaps://ldap.forumsys.com:636
>
> as opposed to
>
> ldapsearch -h ldap.forumsys.com -p 636
>
> Example against ldap:///
>
> ldapsearch -H ldap://ldap.forumsys.com:389
>
> as opposed to
>
> ldapsearch -h ldap.forumsys.com -p 389
>
>
> I would note that the -Z(Z) options are for startTLS (generally against
> port 389).  It is not valid to mix startTLS with ldaps:// URIs.  You've
> not
> provided any useful information about your setup, so it's not possible to
> give you much help past that.
>
> As for your SASL question, as documented in the ldapsearch man page, you
> provide the SASL Mech as a parameter to the -Y option.  For example:
>
> ldapsearch -Y GSSAPI -H ldap://ldap.forumsys.com:389
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>

Reply via email to