Re: SASL authentication : Inappropriate authentication error

[Benoit Callebaut <bc@cetic.be>]

Thank you for the response.

I made the modifications but it doesn't change anything

for info , I use BekerleyDB 4.4, MIT-Kerberos 1.4.3,cyrus SASL 2.1.21 
and openldap 2.3.20

Quanah Gibson-Mount wrote:
> --On Monday, May 15, 2006 11:53 AM +0200 Benoit Callebaut 
> <bc@cetic.be> wrote:
>
>
> > The behavior of  ldapsearch is not what I expected:
> > 1 It asked be my "authorization name". Why ? I am already authenticated
> > by Kerberos (I have a ticket)
> > 2 It doesn't map my name to a correct dn.
> >
> > Here is the slapd.conf:
> > --- SNIP ---
> > # sasl-realm              TEST.CETIC.BE
> > sasl-host               pt-jv.cetic.be
>
> Don't set sasl-host.
>
> > access to dn.base="" by * read
> > access to dn.base="cn=Subschema" by * read
> > access to *
> >         by dn="cn=Manager,dc=pt-jv,dc=cetic,dc=be" write
> >         by dn="uid=ldapadm.+\+realm=TEST\.CETIC\.BE" write
> >         by dn="uid=bc.+\+realm=TEST\.CETIC\.BE" write
> >         by self write
> >         by Manager write
> >         by users read
> >         by anonymous auth
>
> Your authz-regexp's aren't correct at all.  Try this:
>
>
> authz-regexp uid=(.*),cn=TEST.CETIC.BE,cn=gssapi,cn=auth 
> uid=$1,ou=employees,ou=people,ou=Users,dc=pt-jv,dc=cetic,dc=be
>
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITS/Shared Application Services
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html