[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems with SASL-authentication ?
Hi list,
with help of Peter A. Savitch (hi Peter i'll send you a
message later ...) i came over my SSL/TLS-problems.
Now it doesn't yet work because of - i think -
authentication problems.
Here's the part of my slurpd-log, which belongs to the problem :
---snipp---
TLS trace: SSL_connect:SSLv3 read finished A
bind to 486dx66.hrnet.de as - via GSSAPI (SASL)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_err2string
Error: LDAP SASL for 486dx66.hrnet.de:5389 failed: Unknown
authentication method
ldap_unbind
ldap_free_connection
ldap_send_unbind
---snipp---
In the first line the SSL-Connection has successfully begun.
But the next line , the bind has (so do i think) an error,
as no DN ("as - via GSSAPI (SASL)") is there to bind.
The rest of the log shows, that the connection is stopped then.
I came to the conclusion, that something with SASL is wrong !?
So here's what i've configured :
Replication-DN shall be ldapreplicator@HRNET.DE .
"ldapreplicator@HRNET.DE" exists in the REALM as the kdc-log shows :
---snipp---
Aug 06 09:00:00 486dx66 krb5kdc[506](info):
TGS_REQ (3 etypes {16 1 3}) 192.168.1.3(0):
ISSUE: authtime 1028567349, etypes {rep=16 tkt=16 ses=16},
ldapreplicator@HRNET.DE for krbtgt/HRNET.DE@HRNET.DE
---snipp---
My replica-configuration in slapd.conf (master) is :
---snipp---
replica
host=486dx66.hrnet.de:5389
tls=critical
binddn="uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de"
bindmethod=sasl
SASLmech=GSSAPI
replogfile /usr/local/ldap/var/replog
---snipp---
"uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de"
exists in the database.
(By the way, what is the correct expression for an entry
like this in the database ? )
---snipp---
# SASL-authentification
srvtab /etc/krb5.keytab
sasl-host 486dx66.hrnet.de
sasl-realm HRNET.DE
saslRegexp
uid=.*,cn=HRNET.DE,cn=GSSAPI,cn=auth
uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de
---snipp---
So, is this correct ?
Should the replicator-DN be in the database or is
this just virtual ?
greets Harry