[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP and authentication
On Mon, 2004-02-09 at 00:41, Quanah Gibson-Mount wrote:
> --On Sunday, February 08, 2004 11:04 PM +0100 Matthijs
> <matthijs@cacholong.nl> wrote:
>
> >> sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth
> >> ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu
>
> > You would like to say this: changing my acl's to:
> >
> > access to attribute=userPassword
> > by dn="dc=cacholong,dc=nl" write
> > by dn="uid=ldapadm,cn=cacholong.nl,cn=auth" write
> > by anonymous auth
> > by self write
> > by * none
> > access to *
> > by dn="dc=cacholong,dc=nl" write
> > by dn="uid=ldapadm,cn=cacholong.nl,cn=auth" write
> > by * read
> >
> > You say with sasl-regexp, i've never used that configuration option so i
> > have to carefully read what it does.
>
> It looks like you actually don't have to change much, and you have misread
> what I've said.
>
> What you want is something like:
>
> sasl-regexp=uid=(.*),cn=cacholong.nl,cn=gssapi,cn=auth
> ldap://uid=$1,dc=cacholong,dc=nl
>
> That should map this:
>
> uid=ldapadm,cn=cacholong.nl,cn=gssapi,cn=auth
>
> to
>
> uid=ldapadm,dc=cacholong,dc=nl
>
> Then you can use this ACL:
>
> access to attribute=userPassword
> by dn="dc=cacholong,dc=nl" write
> by dn="uid=ldapadm,dc=cacholong,dc=nl" write
> by anonymous auth
> by self write
> by * none
> access to *
> by dn="dc=cacholong,dc=nl" write
> by dn="uid=ldapadm,dc=cacholong,dc=nl" write
> by * read
>
>
> --Quanah
>
I've changed this in my ACL's and i've added the configuration option as
you said but when i try to do this:
server:/etc/ldap# ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
server:~/cacholong# ldapadd -f ldap.ldif -x -D
"uid=ldapadm,dc=cacholong,dc=nl" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Now a try with my GSSAPI ticket:
server:~/cacholong# ldapsearch -D "uid=ldapadm,dc=cacholong,dc=nl"
SASL/GSSAPI authentication started
SASL username: ldapadm@CACHOLONG.NL
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
[snip]
server:~/cacholong# ldapadd -f ldapnew -D
"uid=ldapadm,dc=cacholong,dc=nl"
SASL/GSSAPI authentication started
SASL username: ldapadm@CACHOLONG.NL
SASL SSF: 56
SASL installing layers
So with my ticket i can authenticate but when i try a simple bind (-x)
then it won't work.
This is my configuration:
# The Kerberos plugins
sasl-realm CACHOLONG.NL
sasl-host server.cacholong.nl
sasl-regexp uid=(.*),cn=cacholong.nl,cn=gssapi,cn=auth
ldap://uid=$1,dc=cacholong,dc=nl
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=cacholong,dc=nl"
# rootdn
rootdn "uid=ldapadm,dc=cacholong,dc=nl"
rootpw {KERBEROS}ldapadm@CACHOLONG.NL
# Where the database file are physically stored for database #1
directory "/var/lib/ldap-cacholong"
#### Indexing options for database #1
include /etc/ldap/ldapconfig/ldapindex-cacholong.conf
# Save the time that the entry gets modified, for database #1
lastmod on
And when i change my rootpw to something like this: rootpw secret
Then i get another time:
server:/etc/ldap# ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
So i think there is something wrong at compile time but what kind of
configure option i've missed, i don't know.
I send my configure options as a attachement.
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/TSS/Computing Systems
> ITSS/TSS/Infrastructure Operations
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>
> ----------------------------------------------------------------------------
> OPINIONS EXPRESSED BY ME ARE NOT NECESSARILY SHARED BY MY EMPLOYER
> ----------------------------------------------------------------------------
> "Why of course the people don't want war. . . . That is understood. But,
> after all, it is the leaders of the country who determine the policy and it
> is always a simple matter to drag the people along, whether it is a
> democracy, or a fascist dictatorship, or a parliament, or a communist
> dictatorship. Voice or no voice, the people can always be brought to the
> bidding of the leaders. That is easy. All you have to do is tell them they
> are being attacked, and denounce the peacemakers for lack of patriotism and
> exposing the country to danger. It works the same in any country."
> --Hermann Goering, Nazi officer, during his Nuremberg war crimes trial
>
--prefix=/usr
--libexecdir='${prefix}/lib'
--sysconfdir=/etc
--localstatedir=/var/run
--mandir='${prefix}/share/man'
--with-subdir=ldap
--enable-debug
--enable-syslog
--enable-proctitle
--enable-referrals
--enable-ipv6
--enable-local
--with-cyrus-sasl
--with-kerberos
--with-readline
--with-threads
--with-tls
--enable-slapd
--disable-cleartext
--enable-crypt
--enable-dynamic
--enable-kpasswd
--enable-spasswd
--enable-modules
--enable-phonetic
--enable-rewrite
--disable-rlookups
--enable-slp
--enable-wrappers
--enable-bdb
--with-bdb-module=dynamic
--enable-dnssrv
--with-dnssrv-module=dynamic
--enable-ldap
--with-ldap-module=dynamic
--enable-ldbm
--with-ldbm-api=berkeley
--with-ldbm-module=dynamic
--enable-meta
--with-meta-module=dynamic
--enable-monitor
--with-monitor-module=dynamic
--enable-null
--with-null-module=dynamic
--enable-passwd
--with-passwd-module=dynamic
--disable-perl
--enable-shell
--with-shell-module=dynamic
--with-sql-module=dynamic
--enable-slurpd
--enable-shared