[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and authentication

To: Matthijs <matthijs@cacholong.nl>, openldap-software@OpenLDAP.org
Subject: Re: LDAP and authentication
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Sun, 08 Feb 2004 13:38:09 -0800
Content-disposition: inline
In-reply-to: <1076271286.2017.9.camel@monster.cacholong.nl>
References: <1076271286.2017.9.camel@monster.cacholong.nl>

--On Sunday, February 08, 2004 9:14 PM +0100 Matthijs <matthijs@cacholong.nl> wrote:

I'm using LDAP for account information. The passwords are stored in an
Kerberos database (Heimdal)

This is working pretty good but i want now samba also into my ldap tree
and windows machines in my network.

But now when i try to add something to my LDAP tree i get insufficient
access:
 ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b
"dc=cacholong,dc=nl"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

When i try to search something wit SASL it works (my ticket
authenticates me right)

But when i try to add something with my ticket (SASL) then the server
says ldap_bind: Invalid credentials (49)

Then i try to add something with my ticket (SASL) and my user/pass and
that works:
server:~/cacholong# ldapadd -f ldap.ldif -D
"uid=ldapadm,dc=cacholong,dc=nl" -W Enter LDAP Password:
SASL/GSSAPI authentication started
SASL username: ldapadm@CACHOLONG.NL
SASL SSF: 56
SASL installing layers

I want to add or with my ticket or with a user/pass combination and not
both of them.

What is the output when you type "ldapwhoami" ? You need to add that kerberos identity to have write privileges into OpenLDAP. Right now you are forcing yourself to bind as uid=ldapadm, which I doubt is your username, which is what SASL/gssapi would see. For example, I give write access to uid=quanah,cn=accounts,dc=stanford,dc=edu. I use a sasl-regexp statement in slapd.conf to map me to that bind DN:

sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

---------------------------------------------------------------------------- OPINIONS EXPRESSED BY ME ARE NOT NECESSARILY SHARED BY MY EMPLOYER ---------------------------------------------------------------------------- "Why of course the people don't want war. . . . That is understood. But, after all, it is the leaders of the country who determine the policy and it is always a simple matter to drag the people along, whether it is a democracy, or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked, and denounce the peacemakers for lack of patriotism and exposing the country to danger. It works the same in any country." --Hermann Goering, Nazi officer, during his Nuremberg war crimes trial

Follow-Ups:
- Re: LDAP and authentication
  - From: Matthijs <matthijs@cacholong.nl>
- Re: LDAP and authentication
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- LDAP and authentication
  - From: Matthijs <matthijs@cacholong.nl>

Prev by Date: Re: Can openldap do fan-out authentication?
Next by Date: Re: Can openldap do fan-out authentication?
Index(es):
- Chronological
- Thread