[Date Prev][Date Next] [Chronological] [Thread] [Top]

simple bind and ldap_bind: Invalid credentials (49)



Okay, it's Friday and I'm brain-dead. I have openLDAP+SASL+Kerberos up, configured and running with all passwords stored in our kerberos database. I can run queries via simple/anonymous binds, simple/anonymous binds overSSL/TLS, kerberos tickets, and kerberos tickets with SSL/TLS. Where I'm running into problems is a simple user bind.

See the following:

ldapsearch -x -D "uid=dumbUser,ou=People,dc=example,dc=com" -W -b "" -s base -LLL -H ldaps://server.example.com/ supportedSASLMechanisms
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


A user LDAP record looks like this:
dn: uid=dumbUser,ou=People,dc=example,dc=com
userPassword: {SASL}dumbUser@KRB.EXAMPLE.COM

You may ask "Why would I want to do this?" Well, I have a few clients that can't do SASL binds.

Any ideas where to look?
--
Karen R. McArthur <kmcarthu@bates.edu>
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240
ph:(207) 786-8236   fax:(207) 786-6057

########################################
#from slapd.conf
#SASL configuration
sasl-realm      KRB.EXAMPLE.COM
sasl-host       server.example.com
sasl-secprops   noanonymous
sasl-regexp
        uid=(.*),cn=krb.example.com,cn=gssapi,cn=auth
        uid=$1,ou=People,dc=example,dc=com
sasl-regexp
        cn=(.*),cn=krb.example.com,cn=gssapi,cn=auth
        uid=$1,ou=People,dc=example,dc=com
sasl-regexp
        uid=(.*),cn=example.com,cn=kerberos_v4,cn=auth
        ldap:///ou=People,dc=example,dc=com??sub?(uid=$1)

access to attr=userPassword
        by anonymous auth
        by by dn="cn=Manager,dc=example,dc=com" write
        by dn="uid=ldapadm.+\+(realm=ILS\.EXAMPLE\.COM)" write
        by * none