[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with GSSAPI problem

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP with GSSAPI problem
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Thu, 07 Aug 2003 20:31:55 +0200
In-reply-to: <034e01c35d05$54325430$190110ac@shsco> (shaick_mlist1@lycos.co.uk's message of "Thu, 7 Aug 2003 22:29:50 +0530")
References: <OF2AA87B59.ACBD1589-ON87256D7B.003F33AC-86256D7B.003F5AB6@us.ibm.com> <027101c35cde$292fcf00$190110ac@shsco> <m33cgda231.fsf@marin.l4b.de> <034e01c35d05$54325430$190110ac@shsco>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Hello,

"Shaick" <shaick_mlist1@lycos.co.uk> writes:

> Hello Dieter,
>
> Thanks for correcting me.I am really not clear with sasl-regexp syntax.
>
> I have corrected the synax now as,
> sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
>
> ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)
>
>
> But still i have the same error.
>
> # ./ldapsearch -Y GSSAPI -U s001
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI Failure
>
> The extra steps i did for SASL GSSAPI is,
> 1. specify "sasl-regexp" as,
>
> sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
>
> ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)
>
> 2. Modify  "userPassword" in LDIF file as,
> userPassword: {KERBEROS}principal@REALM
>
> 3. Add the user in Kerberos REALM (say s001)
>
> 4. kinit s001
>
> 5. ./ldapsearch -Y GSSAPI -U s001
>
> Please I let me know if i miss any thing in step.

Frankly, I use MIT krb5 myself and I don't have any userPassword
attribute in my entries, furthermore my saslregexp is a bit diffrent
from Turbo's as I use the uid attribute to identify users

saslRegexp
     uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
     ldap:///o=avci,c=de??sub?uid=$1 
saslRegexp
    uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
    uid=$1,o=avci,c=de

When looking at your regex I'm wondering wether you have in your real
slapd.conf replaced @REALM with your real REALM

I would recommend to test your setup with the sasl test suit, that is
sample/server and sample/client in the cyrus-sasl tarball, and watch
the authentication string.

As root start 'sample/server -s ldap'
as user start 'sample/client -s ldap -m GSSAPI your.host'

-Dieter
 

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

References:
- Re: OpenLDAP with GSSAPI problem
  - From: Kent Soper <dksoper@us.ibm.com>
- Re: OpenLDAP with GSSAPI problem
  - From: "Shaick" <shaick_mlist1@lycos.co.uk>
- Re: OpenLDAP with GSSAPI problem
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: OpenLDAP with GSSAPI problem
  - From: "Shaick" <shaick_mlist1@lycos.co.uk>

Prev by Date: removing a field from ldap entry
Next by Date: Re: Tracing ACL problems (insuficient access)
Index(es):
- Chronological
- Thread