[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Getting SASL working

To: "Quanah Gibson-Mount" <quanah@stanford.edu>, <openldap-software@OpenLDAP.org>
Subject: RE: Getting SASL working
From: "Jonathan Reeder" <jreeder@nscnet.com>
Date: Thu, 30 Dec 2004 14:02:43 -0600
Importance: Normal
In-reply-to: <D049D71E19D6CC443F0C934E@cadabra-dsl.stanford.edu>

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Sent: Thursday, December 30, 2004 1:49 PM
To: Jonathan Reeder; openldap-software@OpenLDAP.org
Subject: Re: Getting SASL working


--On Thursday, December 30, 2004 1:08 PM -0600 Jonathan Reeder
<jreeder@nscnet.com> wrote:

>>
>> I've got a working OpenLDAP 2.2 running, and I can use simple binds to
>> both modify and query the directory.  However, I'm getting an error when
>> I try to bind with SASL.  The error is:
>>
>># ldapsearch -b "dc=mydomain,dc=com" "(objectclass=*)"
>> ldap_sasl_interactive_bind_s: No such object
>>
>> I have an ldap-readable keytab with a single principle -
>> ldap/fqdn@MYREALM.COM and I've defined KRB5_KTNAME in my environment.  I
>> also have my rootdn set up to be "uid=ldapadmin,cn=gssapi,cn=auth".  I
>> can kinint ldapadmin, receive the ticket, but then I get that "No such
>> object" error when I try to run an ldapsearch.
>>
>> Any pointers?  Thanks a bunch.

>You are missing the Kerberos domain component.  The identity coming in will
>be:
>
>uid=ldapadmin,cn=<Kerberos domain>, cn=gssapi, cn=auth
>
>For example, my SASL DN comes in as:
>
>uid=quanah,cn=stanford.edu,cn=gssapi,cn=auth
>
>--Quanah


------- Jonathan Reeder's Reply -----------

Thanks a bunch for the tip, I'm sure that would have caused me trouble in
the future.  However, unfortunately, I'm still getting the same error after
modifying my slapd.conf and restarting.

I don't know if my slapd.conf would be helpful to anyone, but here it is:

$ cat slapd.conf
include         /usr/local/etc/openldap/schema/core.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# SASL stuff
sasl-host <FQDN.of.this.host>
sasl-realm <MYREALM.COM>
#sasl-secprops  noplain,noanonymous,minssf=56

# SSL/TLS stuff
TLSCipherSuite          HIGH
TLSCertificateFile      /usr/local/certs/host.cert
TLSCertificateKeyFile   /usr/local/certs/host.key
TLSCACertificateFile    /usr/local/certs/host.cert

database        bdb
suffix          "dc=<mydomain>,dc=com"
#rootdn         "cn=Manager,dc=<mydomain>,dc=com"
rootdn "uid=ldapadmin,cn=<MYREALM.COM>,cn=gssapi,cn=auth"
directory       /var/db/openldap-data
mode            0700
# Indices to maintain
index   objectClass     eq

# ACLs (just to test)
access to *
        by * read

Thanks again,

Jonathan

Follow-Ups:
- RE: Getting SASL working
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Re: Getting SASL working
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Odd problem with open-ldap
Next by Date: Re: Odd problem with open-ldap
Index(es):
- Chronological
- Thread