Wow LDAP is confusing. To boot, I'm using LDAP with a MySQL back-end. I may try an LDAP server with a standard back end too, just to see if it is any different.

I also bought LDAP System Adminstration to see if that helps out at all.

Basic installation of slapd on Debian:

  1. apt-get install slapd ldap-utils
  2. Agree to the suggestions
  3. Test with ldapsearch returns nothing, test with ldapsearch and base reference returns some basic stuff.
  4. Insert some data with ldapadd from a basic ldif file

Can't seem to authenticate from Mac OS X, it keeps searching for a dn with cd=cram-md5 or something. Argh. Trying out libpam_ldap to see if I can learn anything there. It appears that slapd defaults to sasl if it can't get the pw from the database. Hmmmm.

Authentication is a pain! First you need to authenticate to the ldap server, then you need to authenticate to the machine. Confusing, yes. I keep getting this error:

Error: unable to open Berkeley db 

ldapsearch -x -ZZ -h hostname.com -b "" -s base -LLL supportedSASLMechanisms

But I don't want to connect to berkleydb. I want to connect to pam_mysql. http://www.web-cyradm.org/pipermail/web-cyradm/2004-November/017985.html

Force sasl to ignore other modules: http://www.sendmail.org/~ca/email/cyrus2/options.html

OK, so its a Cyrus Sasl error really, and I don't want to go round about to pam, I just want to authenticate with sasl to the ldap directory. Ugh.

FINALLY! Special thanks goes to: http://www.jimmy.co.at/weblog/?p=52 who reminded me that the sasl socket is owned by the sasl group, because postfix runs in its own jail. Since openldap does too, I had to add it to the sasl database! No more:

Failure: cannot connect to saslauthd server: Permission denied

Now I can authenticate to the ldap server using data WITHIN its back-end. Now that I understand it a little better, its awesome. Next up: remote authentication, indexing, and replication!

AWESOME! I am now able to authenticate to the LDAP server from Mac OS X! Now that most everything is working, I'd like to revisit the process and document it properly. So far, these are the components I'm working with:

  • Linux: OpenLdap slapd, Back-sql mysql, Cyrus SASL
  • Mac: Directory Access, Address Book (for testing purposes) - N.B. - I changed all the connection and query timeouts to much less than 120 (I use 10) so that testing is easier.

I also noticed something very strange about my ldap administration book, on page 59, the content shifts to another book about hardware! Here's what I sent to Amazon: The book is printed incorrectly, about half the book is from some other book, talking about computer architecture. Two chapters are missing. It goes from page 60, to 59, and then on page 106, it skips to page 109. Very strange. Please just send a replacement. Thanks.


External References: