[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: kpasswd

To: Allan Streib <astreib@indiana.edu>
Subject: Re: kpasswd
From: Paul M Fleming <pfleming@siumed.edu>
Date: Fri, 17 Oct 2003 15:21:47 -0500
Cc: openldap-software@OpenLDAP.org, Howard Chu <hyc@highlandsun.com>, "'Frank Swasey'" <Frank.Swasey@uvm.edu>, "'Allan E Johannesen'" <aej@WPI.EDU>
Organization: SIUMED Information Resources
References: <8B1946F0-00D9-11D8-8CF1-000393033826@indiana.edu>

if you want SASL for just kerberos -- disable building sasl with db
support and also disable _ALL_ plugins you don't plan on using. My
configure which supports Sendmail, Cyrus IMAP and eventually OPenLDAP
with SASL support (still using kpasswd) -- this is from my RedHat RPM
for sasl 2.1.13 Also remember saslauthd checks the HOST ticket not a
specific app so you need host/hostname.domainname.edu for example not
just ldap/hostname.

export LDFLAGS="-L/usr/kerberos/lib"
export CPPFLAGS="-I /usr/kerberos/include"
export CFLAGS="-I /usr/kerberos/include"
./configure --prefix=/usr \
        --with-dblib=no \
        --with-saslauthd=/var/lib/saslauthd \
        --enable-cram=no \
        --with-pam=no \
        --enable-digest=no \
        --enable-otp=no \
        --enable-srp=no \
        --enable-krb4=no \
        --enable-checkapop=no \
        --enable-gssapi


Allan Streib wrote:
> 
> On Friday, October 17, 2003, at 11:13 AM, I wrote:
> 
> > I'm running into some difficulty -- started saslauthd as:
> >    saslauthd -a kerberos5
> >
> > Edited my userPassword attribute to be:
> >
> >    userPassword: {SASL}astreib@IU.EDU
> >
> > I get an invalid credentials error trying to bind.  Also tried
> > omitting the @IU.EDU and the same error.  My ldap logs show:
> >
> > Oct 17 11:06:56 slapd[30324]: SASL [conn=10] Error: unable to open
> > Berkeley db /etc/sasldb2: No such file or directory
> > Oct 17 11:06:56 slapd[30324]: SASL [conn=10] Failure: Invalid
> > credentials
> 
> I created the /etc/sasldb2 and that made no difference (other than
> making that log message stop).  Here's some more detailed logging -- if
> anyone can spot a clue here I'd appreciate some guidance.  I'm thinking
> the "Converted SASL name to <nothing>" message might be a problem?
> 
> .
> .
> .
> SASL Canonicalize [conn=1]: authcid="astreib@IU.EDU"
> slap_sasl_getdn: id=astreib@IU.EDU [len=14]
> getdn: u:id converted to uid=astreib,cn=IU.EDU,cn=auth
>  >>> dnNormalize: <uid=astreib,cn=IU.EDU,cn=auth>
> => ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)
> <= ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=astreib,cn=iu.edu,cn=auth,272)=0
> <<< dnNormalize: <uid=astreib,cn=iu.edu,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=astreib,cn=iu.edu,cn=auth to
> a DN
> slap_sasl_regexp: converting SASL name uid=astreib,cn=iu.edu,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> SASL Canonicalize [conn=1]: authcDN="uid=astreib,cn=iu.edu,cn=auth"
> slap_sasl_getdn: id=astreib@IU.EDU [len=0]
> getdn: u:id converted to uid=astreib,cn=IU.EDU,cn=auth
>  >>> dnNormalize: <uid=astreib,cn=IU.EDU,cn=auth>
> => ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)
> <= ldap_bv2dn(uid=astreib,cn=IU.EDU,cn=auth,0)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=astreib,cn=iu.edu,cn=auth,272)=0
> <<< dnNormalize: <uid=astreib,cn=iu.edu,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=astreib,cn=iu.edu,cn=auth to
> a DN
> slap_sasl_regexp: converting SASL name uid=astreib,cn=iu.edu,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> ldap_err2string
> SASL [conn=1] Failure: Invalid credentials
> .
> .
> .

Follow-Ups:
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>

References:
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>

Prev by Date: Re: kpasswd
Next by Date: Re: problem with group membership enforcement
Index(es):
- Chronological
- Thread