[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Newbie gets reamed by openldap, kerberos, and sasl... please help.
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Hua Ying Ling
> So it seemed like a simple task... use openldap without anonymous bind
> and verify the username and password sent in the clear to slapd using
> kerberos5. Before you jump on us we are adding SSL after we get it
> working). We have RFM. FMini-How-To, etc.,and spent 3 weeks on this
> problem with no luck. We have attempted this on Solaris 8 and MacOS X
> 10.2 with the same result.
>
> So what we used
> KERBEROS V - on solaris we built MIT latest and were able to kinit on
> MacOS X took the shipping version and was able to kinit and also use
> the loginwindow with kerberos enabled.
Unless you've added the locking patches that were mentioned (on this list or
the Cyrus list, I don't recall), using the MIT Kerberos libraries is a recipe
for disaster.
> SASL 2.1.15
> Great but we have to allow a client (the ldap V3 plug-in in MacOS X
> directory Services) which can not use the GSSAPI or any SASL bind
> mechanism. In other words we need to do a simple bind with a
> password
> checked against. kerberos V. Various documentation leads us
> to believe
> we need saslauthd for this but we can never seem to make openldap use
> saslauthd.
First make sure the SASL sample-server and sample-client work using the
saslauthd. There's nothing in OpenLDAP that controls that, it's purely a SASL
configuration issue. This is not the same as testsaslauthd (which I see from
the Cyrus-SASL list that you've already gotten working).
Once you have SASL configured correctly, there's nothing else to touch.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support