[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: question about authentication
Hi Manfred
> hello to everyone!
>
> i'm trying to set up openldap (newbie) with sasl (plain, gssapi) now for
> about one week, but now i have ran into a simple problem, i think, but i
> couldn't find an answer. so i have two questions for you, which i hope you
> can answer for me.
>
> 1. i created a rootdn "uid=manfred,dc=domain,dc=com". i also set up sasl to
> check user and password in /etc/shadow (later i will move to kerberos),
> which works. now, when i try to add something to the database with:
>
> ldapadd -f /etc/openldap/ldif/companystructure.ldif -D
> "uid=manfred,dc=domain,dc=com" -Y PLAIN
>
> i get prompted to insert my password, so i enter the password for the user
> manfred, who has an account on my linuxbox.
> the resulting error is:
> ldap_sasl_interactive_bind_s: Invalid credentials
>
> so i also tried the following:
> ldapadd -f /etc/openldap/ldif/companystructure.ldif -D
> "uid=manfred,dc=domain,dc=com" -Y PLAIN -U manfred
> after typing in my password, i get following error:
> ldap_add: Insufficent access
Run slapd with "-d 1" and look for a line that starts with
<== slap_sasl_bind: authzdn:
This is the authorization dn established by sasl. It probably won't
match your rootdn. Change your ACLs accourdingly.
> 2. this problem should be a little bit simplier.
> is it possible to tell SASL, which authentication method to use for default.
> i always need to specify "-Y PLAIN", to use the plain mechanism, otherwise
> SASL always wants to use GSSAPI.
> is there an option in any configuration file to get this to work.
> i can restrict the mechanisms to GSSAPI only, with the "sasl-secoprops" in
> "slapd.conf".
The hard way to do this would be to remove the GSSAPI plungin from the
sasl directory.
--
Norbert Klasen
DFN Directory Services tel: +49 7071 29 70335
ZDV, Universität Tübingen fax: +49 7071 29 5912
Wächterstr. 76, 72074 Tübingen http://www.directory.dfn.de
Germany norbert.klasen@zdv.uni-tuebingen.de