[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Getting SASL working
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Sent: Thursday, December 30, 2004 1:49 PM
To: Jonathan Reeder; openldap-software@OpenLDAP.org
Subject: Re: Getting SASL working
--On Thursday, December 30, 2004 1:08 PM -0600 Jonathan Reeder
<jreeder@nscnet.com> wrote:
>>
>> I've got a working OpenLDAP 2.2 running, and I can use simple binds to
>> both modify and query the directory. However, I'm getting an error when
>> I try to bind with SASL. The error is:
>>
>># ldapsearch -b "dc=mydomain,dc=com" "(objectclass=*)"
>> ldap_sasl_interactive_bind_s: No such object
>>
>> I have an ldap-readable keytab with a single principle -
>> ldap/fqdn@MYREALM.COM and I've defined KRB5_KTNAME in my environment. I
>> also have my rootdn set up to be "uid=ldapadmin,cn=gssapi,cn=auth". I
>> can kinint ldapadmin, receive the ticket, but then I get that "No such
>> object" error when I try to run an ldapsearch.
>>
>> Any pointers? Thanks a bunch.
>You are missing the Kerberos domain component. The identity coming in will
>be:
>
>uid=ldapadmin,cn=<Kerberos domain>, cn=gssapi, cn=auth
>
>For example, my SASL DN comes in as:
>
>uid=quanah,cn=stanford.edu,cn=gssapi,cn=auth
>
>--Quanah
------- Jonathan Reeder's Reply -----------
Thanks a bunch for the tip, I'm sure that would have caused me trouble in
the future. However, unfortunately, I'm still getting the same error after
modifying my slapd.conf and restarting.
I don't know if my slapd.conf would be helpful to anyone, but here it is:
$ cat slapd.conf
include /usr/local/etc/openldap/schema/core.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# SASL stuff
sasl-host <FQDN.of.this.host>
sasl-realm <MYREALM.COM>
#sasl-secprops noplain,noanonymous,minssf=56
# SSL/TLS stuff
TLSCipherSuite HIGH
TLSCertificateFile /usr/local/certs/host.cert
TLSCertificateKeyFile /usr/local/certs/host.key
TLSCACertificateFile /usr/local/certs/host.cert
database bdb
suffix "dc=<mydomain>,dc=com"
#rootdn "cn=Manager,dc=<mydomain>,dc=com"
rootdn "uid=ldapadmin,cn=<MYREALM.COM>,cn=gssapi,cn=auth"
directory /var/db/openldap-data
mode 0700
# Indices to maintain
index objectClass eq
# ACLs (just to test)
access to *
by * read
Thanks again,
Jonathan