[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: question about authentication



Hi Manfred 
> hello to everyone!
> 
> i'm trying to set up openldap (newbie) with sasl (plain, gssapi) now for
> about one week, but now i have ran into a simple problem, i think, but i
> couldn't find an answer. so i have two questions for you, which i hope you
> can answer for me.
> 
> 1. i created a rootdn "uid=manfred,dc=domain,dc=com". i also set up sasl to
> check user and password in /etc/shadow (later i will move to kerberos),
> which works. now, when i try to add something to the database with:
> 
> ldapadd -f /etc/openldap/ldif/companystructure.ldif -D
> "uid=manfred,dc=domain,dc=com" -Y PLAIN
> 
> i get prompted to insert my password, so i enter the password for the user
> manfred, who has an account on my linuxbox.
> the resulting error is:
> ldap_sasl_interactive_bind_s: Invalid credentials
> 
> so i also tried the following:
> ldapadd -f /etc/openldap/ldif/companystructure.ldif -D
> "uid=manfred,dc=domain,dc=com" -Y PLAIN -U manfred
> after typing in my password, i get following error:
> ldap_add: Insufficent access

Run slapd with "-d 1" and look for a line that starts with 
<== slap_sasl_bind: authzdn: 
This is the authorization dn established by sasl. It probably won't
match your rootdn. Change your ACLs accourdingly.

> 2. this problem should be a little bit simplier.
> is it possible to tell SASL, which authentication method to use for default.
> i always need to specify "-Y PLAIN", to use the plain mechanism, otherwise
> SASL always wants to use GSSAPI.
> is there an option in any configuration file to get this to work.
> i can restrict the mechanisms to GSSAPI only, with the "sasl-secoprops" in
> "slapd.conf".

The hard way to do this would be to remove the GSSAPI plungin from the
sasl directory.

-- 
Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
Wächterstr. 76, 72074 Tübingen              http://www.directory.dfn.de
Germany                             norbert.klasen@zdv.uni-tuebingen.de