[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos 5 Question



Today at 7:42pm, Shaick wrote:

> Hello Frank,
> 
>     I  have some questions here about Kerberos 5 and OpenLDAP.
> 
> 1) If openldap not compiled with Kerberos 4 , Then "-k" , "-K" cannot be
> used with ldapclients.

Absolutely correct.  I do not use -k/-K on the ldapclients here.

> 2) If we only compiled Kerberos 5 library,then only Using Cyrus SASL GSSAPI
> mechanism we can use the Kerberos Authentication.

Also correct.

> 
> Is the above statements are correct?

The two above statements have absolutely nothing whatsoever to do with 
support for userPassword: {KERBEROS}uid@realm construct.  

You have now moved from the server accepting a simple bind and turning 
around and performing the KDC conversation to verify the password 
against the Kerberos realm to the client is doing a Kerberos login 
(kinit) and then running the ldapclient command and the Kerberos ticket 
is being passed (via SASL) and interpreted (via sasl-regexp) as some DN 
on the server.

These are two completely separate items.

I'm no expert.  It works for me with OpenLDAP 2.1.22 as long as the 
ldapclients were compiled with sasl and sasl was compiled with kerberos 
support.

Please ask your questions on the openldap-software list so everyone can 
benefit from the experience.

F

> I am trying with OpenLDAP 2.1.21 with GSSAPI now without success.I can do
> CRAM-MD5 , DIGEST-MD5 mechanism with OpenDLAP.
> 
> Can you please give steps how to configure( slapd.conf,ldap.conf,and a
> sample ldif[if some thing special entries is needed for GSSAPI] )
> 
> Here is my configuration for GSSAPI,
> 
> slapd.conf:
> ======
> sasl-regexp
>         uid=(.*),cn=digest-md5,cn=auth
>         ldap:///dc=team,dc=com??sub?uid=$1
> 
> sasl-regexp
>         uid=(.*),cn=cram-md5,cn=auth
>         ldap:///dc=team,dc=com??sub?uid=$1
> 
> sl-regexp
>         uid=(.*),cn=gssapi,cn=auth
>         ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)
> 
> 
> #  ./ldapwhoami -Y GSSAPI -U s001 -D "dc=team,dc=com"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI Failure
> 
> slapd debug output:
> =============
> do_sasl_bind: dn (dc=team,dc=com) mech GSSAPI
> SASL [conn=1] Failure: GSSAPI Failure
> send_ldap_result: conn=1 op=1 p=3
> send_ldap_response: msgid=2 tag=97 err=49
> ber_flush: 63 bytes to sd 11
> <== slap_sasl_bind: rc=49
> connection_get(11): got connid=1
> connection_read(11): checking for input on id=1
> ber_get_next
> ber_get_next on fd 11 failed errno=0 (Error 0)
> connection_read(11): input error=-2 id=1, closing.
> connection_closing: readying conn=1 sd=11 for close
> connection_close: conn=1 sd=11
> 
> So Please give your time and guide me to get success.
> 
> Thanks,
> -Shaick.
> 

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===