[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and authentication

To: openldap-software@OpenLDAP.org
Subject: Re: LDAP and authentication
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Sun, 08 Feb 2004 23:54:11 +0100
In-reply-to: <412692670.1076247489@cadabra-dsl.stanford.edu> (Quanah Gibson-Mount's message of "Sun, 08 Feb 2004 13:38:09 -0800")
References: <1076271286.2017.9.camel@monster.cacholong.nl> <412692670.1076247489@cadabra-dsl.stanford.edu>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Quanah Gibson-Mount <quanah@stanford.edu> writes:

> --On Sunday, February 08, 2004 9:14 PM +0100 Matthijs
> <matthijs@cacholong.nl> wrote:
>
>> I'm using LDAP for account information. The passwords are stored in an
>> Kerberos database (Heimdal)

>> But now when i try to add something to my LDAP tree i get insufficient
>> access:
>>  ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b
>> "dc=cacholong,dc=nl"
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>> When i try to search something wit SASL it works (my ticket
>> authenticates me right)
>>
>> But when i try to add something with my ticket (SASL) then the server
>> says ldap_bind: Invalid credentials (49)
>>
>> Then i try to add something with my ticket (SASL) and my user/pass and
>> that works:
>> server:~/cacholong# ldapadd -f ldap.ldif -D
>> "uid=ldapadm,dc=cacholong,dc=nl" -W Enter LDAP Password:
>> SASL/GSSAPI authentication started
>> SASL username: ldapadm@CACHOLONG.NL
>> SASL SSF: 56
>> SASL installing layers
>>
>> I want to add or with my ticket or with a user/pass combination and not
>> both of them.
>
> What is the output when you type "ldapwhoami" ?  You need to add that
> kerberos identity to have write privileges into OpenLDAP.  Right now
> you are forcing yourself to bind as uid=ldapadm, which I doubt is your
> username, which is what SASL/gssapi would see.  For example, I give
> write access to uid=quanah,cn=accounts,dc=stanford,dc=edu.  I use a
> sasl-regexp statement in slapd.conf to map me to that bind DN:
>
> sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth
> ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu

No, Mathijs is trying a simple bind, that is, sasl is not
involved. Either uid=ldapadm has no entry and no userpasswd attribute,
or the value of userpasswd is wrong, but ldapadm is a principal thus
gssapi works fine.

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

Follow-Ups:
- Re: LDAP and authentication
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- LDAP and authentication
  - From: Matthijs <matthijs@cacholong.nl>
- Re: LDAP and authentication
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Make Test Problems
Next by Date: Re: LDAP and authentication
Index(es):
- Chronological
- Thread