[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap using Active Directory Kerberos password
Today at 9:26am, tuliol@sybatech.com wrote:
> Frank,
> When I try to run saslauthd with -a kerberos I get:
> saslauthd: saslauthd[1531] :set_auth_mech : unknown authentication mechanism:
> kerberos
>
> How did you compile cyrus-sasl:
> I did:
> ./configure --with-ldap=/usr/local/lib --with-openssl --enable-login --with-
> saslauthd --enable-gssapi --without-des --without-rc4 --disable-krb4
I didn't compile cyrus-sasl, I used the RedHat rpm.
> Also do you have a saslRegexp set in your openldap slapd.conf?
Yes, but since the client is not using SASL to talk to the ldap server
it has absolutely nothing to do with getting the server to use SASL to
authenticate DN's via their kerberos principal and password....
Frank
>
> Thanks for your help.
>
>
>
>
> Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
>
> > Please do not mail me personally, keep it on the list.
> >
> > On Mon, 28 Jun 2004 at 9:17pm, tuliol@sybatech.com wrote:
> >
> > > Hi Frank,
> > > Thanks for your reply.
> > > I changed the userPassword: {SASL}stest75@AD.INST.EDU
> > >
> > > The saslauthd is running (/usr/local/sbin/saslauthd -a pam) and I have
> > > a /usr/lib/sasl2/slapd.conf with the following:
> >
> > Does the testsaslauthd program work? If that doesn't work, nothing else
> > will. I run saslauthd with -a kerberos myself, but if pam is going to
> > validate stest75@AD.INST.EDU as a valid userid then I guess that will
> > work too.
> >
> > > pwcheck_method:saslauthd
> > > saslauthd_path:/var/state/saslauthd/mux
> >
> > Aside from spacing, that's exactly what my sasl2/slapd.conf file has in
> > it.
> >
> > > The problem is that when I run a ldapsearch query that binds as the user
> > > uid=stest75 and the kerberos password it still gives me:
> > > ldap_bind: Invalid credentials (49) Incorrect Password or UserName
> > >
> > > Do I need to set these in slapd.conf:
> > > #sasl-realm
> > > #sasl-host
> > > #sasl-secprops none
> >
> > I don't use them in mine.
> >
> > >
> > >
> > > Any ideas?
> >
> > I am expecting that if you attempt with the testsaslauthd program that
> > it will fail too indicating that saslauthd is not successfully
> > validating users.
> >
> > I use saslauthd -a kerberos, I have a keytab file that has the
> > host/<FQDN> key for each of my ldap servers in it (granted, the KDC I'm
> > working against is a DCE security server so it's not exactly the same as
> > using Active Directory).
> >
> > >
> > > Thanks again
> > >
> > > Tulio
> > > Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
> > >
> > > > On Fri, 25 Jun 2004 at 8:18am, tuliol@sybatech.com wrote:
> > > >
> > > > > I got the OS to successfully used the MS AD kerberos password.
> > > > > Then I have the following in slapd.conf:
> > > >
> > > > Good.
> > > >
> > > > > userPassword: {KERBEROS}stest75@AD.INST.EDU
> > > > >
> > > > > Then when I try to do a bind using this account it fails.
> > > >
> > > > Oops! You want that to be {SASL}stest75@AD.INST.EDU. You are having
> > > > OpenLDAP use SASL and the saslauthd program will use Kerberos.
> > > >
> > > > Did you set up the /usr/lib/sasl2/slapd.conf file? It should have the
> > > > "pwcheck_methid: saslauthd" line (possibly a "saslauthd_path:" directive
> > > > too)
> > > >
> > > > Frank
> > > >
> > > > > Any ideas?
> > > > >
> > > > > Tulio
> > > > >
> > > > >
> > > > > Quoting tuliol@sybatech.com:
> > > > >
> > > > > > Frank,
> > > > > > Thanks for your reply. My OS (Redhat AS) currently is using local
> > > > accounts
> > > > > > and
> > > > > > not kerberos. Is that the first step? How do I figure out what the
> > > > Kerberos
> > > > > >
> > > > > > realm is for the MS AD? Do you have instructions on how to
> > configure
> > > > slapd
> > > > > > to
> > > > > > use saslauth once the os is ready?
> > > > > >
> > > > > > Thanks again
> > > > > >
> > > > > > Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
> > > > > >
> > > > > > > On Wed, 23 Jun 2004 at 4:21pm, tuliol@sybatech.com wrote:
> > > > > > >
> > > > > > > > I am trying to use the kerberos password found in Microsoft
> > active
> > > > > > > > directory as the userPassword for my Openldap directory. Has
> > > > anybody
> > > > > > > > been sucessful in setting this up?
> > > > > > > >
> > > > > > > > Any help would be greatly apprectiated.
> > > > > > >
> > > > > > > Have you successfully configured your OS to use the MS AD Kerberos
> > > > > > > password? If so, you should be able to configure it the same we
> > > > several
> > > > > > > of us have to talk to either Heimdal or MIT K5 KDC's (using
> > > > > > > {SASL}principal@realm as the userPassword value and configuring
> > slapd
> > > > to
> > > > > > > use saslauthd).
> > > > > > >
> > > > > > > --
> > > > > > > Frank Swasey | http://www.uvm.edu/~fcs
> > > > > > > Systems Programmer | Always remember: You are UNIQUE,
> > > > > > > University of Vermont | just like everyone else.
> > > > > > > === God bless all inhabitants of your planet ===
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > Frank Swasey | http://www.uvm.edu/~fcs
> > > > Systems Programmer | Always remember: You are UNIQUE,
> > > > University of Vermont | just like everyone else.
> > > > === God bless all inhabitants of your planet ===
> > > >
> > >
> > >
> > >
> > >
> >
> > --
> > Frank Swasey | http://www.uvm.edu/~fcs
> > Systems Programmer | Always remember: You are UNIQUE,
> > University of Vermont | just like everyone else.
> > === God bless all inhabitants of your planet ===
> >
>
>
>
>
--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God bless all inhabitants of your planet ===