[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP and authentication
On Sun, 2004-02-08 at 22:38, Quanah Gibson-Mount wrote:
> --On Sunday, February 08, 2004 9:14 PM +0100 Matthijs
> <matthijs@cacholong.nl> wrote:
>
> > I'm using LDAP for account information. The passwords are stored in an
> > Kerberos database (Heimdal)
> >
> > This is working pretty good but i want now samba also into my ldap tree
> > and windows machines in my network.
> >
> > But now when i try to add something to my LDAP tree i get insufficient
> > access:
> > ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b
> > "dc=cacholong,dc=nl"
> > Enter LDAP Password:
> > ldap_bind: Invalid credentials (49)
> >
> > When i try to search something wit SASL it works (my ticket
> > authenticates me right)
> >
> > But when i try to add something with my ticket (SASL) then the server
> > says ldap_bind: Invalid credentials (49)
> >
> > Then i try to add something with my ticket (SASL) and my user/pass and
> > that works:
> > server:~/cacholong# ldapadd -f ldap.ldif -D
> > "uid=ldapadm,dc=cacholong,dc=nl" -W Enter LDAP Password:
> > SASL/GSSAPI authentication started
> > SASL username: ldapadm@CACHOLONG.NL
> > SASL SSF: 56
> > SASL installing layers
> >
> > I want to add or with my ticket or with a user/pass combination and not
> > both of them.
>
> What is the output when you type "ldapwhoami" ? You need to add that
> kerberos identity to have write privileges into OpenLDAP. Right now you
> are forcing yourself to bind as uid=ldapadm, which I doubt is your
> username, which is what SASL/gssapi would see. For example, I give write
> access to uid=quanah,cn=accounts,dc=stanford,dc=edu. I use a sasl-regexp
> statement in slapd.conf to map me to that bind DN:
>
> sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth
> ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/TSS/Computing Systems
> ITSS/TSS/Infrastructure Operations
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>
> ----------------------------------------------------------------------------
> OPINIONS EXPRESSED BY ME ARE NOT NECESSARILY SHARED BY MY EMPLOYER
> ----------------------------------------------------------------------------
> "Why of course the people don't want war. . . . That is understood. But,
> after all, it is the leaders of the country who determine the policy and it
> is always a simple matter to drag the people along, whether it is a
> democracy, or a fascist dictatorship, or a parliament, or a communist
> dictatorship. Voice or no voice, the people can always be brought to the
> bidding of the leaders. That is easy. All you have to do is tell them they
> are being attacked, and denounce the peacemakers for lack of patriotism and
> exposing the country to danger. It works the same in any country."
> --Hermann Goering, Nazi officer, during his Nuremberg war crimes trial
>
server:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: ldapadm@CACHOLONG.NL
SASL SSF: 56
SASL installing layers
dn:uid=ldapadm,cn=cacholong.nl,cn=gssapi,cn=auth
You would like to say this: changing my acl's to:
access to attribute=userPassword
by dn="dc=cacholong,dc=nl" write
by dn="uid=ldapadm,cn=cacholong.nl,cn=auth" write
by anonymous auth
by self write
by * none
access to *
by dn="dc=cacholong,dc=nl" write
by dn="uid=ldapadm,cn=cacholong.nl,cn=auth" write
by * read
You say with sasl-regexp, i've never used that configuration option so i
have to carefully read what it does.