[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with SASL-authentication ?



Hi list,

with help of Peter A. Savitch (hi Peter i'll send you a
message later ...)  i came over my SSL/TLS-problems.
Now it doesn't yet work because of - i think -
authentication problems.

Here's the part of my slurpd-log, which belongs to the problem :

---snipp---
TLS trace: SSL_connect:SSLv3 read finished A
bind to 486dx66.hrnet.de as - via GSSAPI (SASL)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_err2string
Error: LDAP SASL for 486dx66.hrnet.de:5389 failed: Unknown
authentication method
ldap_unbind
ldap_free_connection
ldap_send_unbind
---snipp---

In the first line the SSL-Connection has successfully begun.
But the next line , the bind has (so do i think) an error,
as no DN  ("as - via GSSAPI (SASL)") is there to bind.
The rest of the log shows, that the connection is stopped then.

I came to the conclusion, that something with SASL is wrong !?

So here's what i've configured :

Replication-DN shall be ldapreplicator@HRNET.DE .
"ldapreplicator@HRNET.DE" exists in the REALM as the kdc-log shows :
---snipp---
Aug 06 09:00:00 486dx66 krb5kdc[506](info): 
TGS_REQ (3 etypes {16 1 3}) 192.168.1.3(0): 
ISSUE: authtime 1028567349, etypes {rep=16 tkt=16 ses=16}, 
ldapreplicator@HRNET.DE for krbtgt/HRNET.DE@HRNET.DE
---snipp---

My replica-configuration in slapd.conf (master) is :
---snipp---
replica
  host=486dx66.hrnet.de:5389
  tls=critical
  binddn="uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de"
  bindmethod=sasl
  SASLmech=GSSAPI
replogfile      /usr/local/ldap/var/replog
---snipp---

"uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de" 
exists in the database.

(By the way, what is the correct expression for an entry 
like this in the database ? )

---snipp---
# SASL-authentification
srvtab     /etc/krb5.keytab
sasl-host  486dx66.hrnet.de
sasl-realm HRNET.DE

saslRegexp
uid=.*,cn=HRNET.DE,cn=GSSAPI,cn=auth
uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de
---snipp---

So, is this correct ?
Should the replicator-DN be in the database or is
this just virtual ?

greets Harry