[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication : Inappropriate authentication error

To: openldap-software@OpenLDAP.org
Subject: Re: SASL authentication : Inappropriate authentication error
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 15 May 2006 09:54:18 -0700
Cc: Benoit Callebaut <bc@cetic.be>
Content-disposition: inline
In-reply-to: <44684F85.2060302@cetic.be>
References: <44684F85.2060302@cetic.be>

--On Monday, May 15, 2006 11:53 AM +0200 Benoit Callebaut <bc@cetic.be> wrote:

The behavior of  ldapsearch is not what I expected:
1 It asked be my "authorization name". Why ? I am already authenticated
by Kerberos (I have a ticket)
2 It doesn't map my name to a correct dn.

Here is the slapd.conf:
--- SNIP ---
# sasl-realm              TEST.CETIC.BE
sasl-host               pt-jv.cetic.be


Don't set sasl-host.

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by dn="cn=Manager,dc=pt-jv,dc=cetic,dc=be" write
        by dn="uid=ldapadm.+\+realm=TEST\.CETIC\.BE" write
        by dn="uid=bc.+\+realm=TEST\.CETIC\.BE" write
        by self write
        by Manager write
        by users read
        by anonymous auth


Your authz-regexp's aren't correct at all.  Try this:

authz-regexp uid=(.*),cn=TEST.CETIC.BE,cn=gssapi,cn=auth uid=$1,ou=employees,ou=people,ou=Users,dc=pt-jv,dc=cetic,dc=be


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: SASL authentication : Inappropriate authentication error
  - From: Benoit Callebaut <bc@cetic.be>

References:
- SASL authentication : Inappropriate authentication error
  - From: Benoit Callebaut <bc@cetic.be>

Prev by Date: SASL authentication : Inappropriate authentication error
Next by Date: Re: ppolicy info...
Index(es):
- Chronological
- Thread