i finally made it and moved on but now i face other problem.
My configs look like...
log_level: -1
pwcheck_method:auxprop saslauthd
mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5
auxprop_plugin: ldapdb
ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr
ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY
ldapdb_mech: GSSAPI EXTERNAL
ldapdb_starttls: try
My access list is :
access to * by * write
but i also set up as i saw on the sasl-regexp config the mapping below
sasl-regexp
uid=(.+),cn=(.+),cn=.+,cn=auth
ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))
sasl-regexp
uid=(.+),cn=.+,cn=auth
ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR))
sasl-regexp
uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth
+
i have an idea of making work like the one below so as to give access to all of the users registered
requiring them a password is that correct:
# This is needed so sasl-regexp/GSSAPI works correctly
access to attrs=krb5PrincipalName
by anonymous auth
# Kerberos attributes may only be accessible to root/ldapmaster
access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
by * none
# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable
access to attrs=userPassword
by anonymous auth
# Anything else we may have forgotten is writable by admin, and viewable by authenticated users
access to dn.subtree="dc=teipir,dc=gr"
by users read
when i do like :
ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255
and although i set up to require a password (on the sasl config )
and i get something like that:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized
or when i use any other command client side i have full access to the tree with no password required