[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Preauth error ldap heimdal kerberos
On 22/03/10 12:49 +0200, Μανόλης Βλαχάκης wrote:
Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...
sasl configs:
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*
Is this your slapd.conf sasl config? If so, you should be using the
internal 'slapd' auxprop plugin rather that ldapdb:
auxprop_plugin: slapd
My access list is :
*access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
* uid=(.+),cn=(.+),cn=.+,cn=auth*
* ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))*
*sasl-regexp*
* uid=(.+),cn=.+,cn=auth*
* ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR
))*
*sasl-regexp*
* uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
* cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*
+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
* by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
* by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable*
*access to attrs=userPassword*
* by anonymous auth*
* *
I use
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP
by anonymous auth
by self write
by * none
when i do like :
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
and i get something like that:
*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
* additional info: SASL(-14): authorization failure: not authorized*
*
--
Dan White