[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos



On Wednesday, 24 March 2010 11:04:57 Μανόλης Βλαχάκης wrote:
> 2010/3/24 Buchan Milne <bgmilne@staff.telkomsa.net>
> 
> > On Tuesday, 23 March 2010 11:18:57 Μανόλης Βλαχάκης wrote:
> > > after reading the openldap admin guide you mentioned
> > > i understud that by using -X on the ldapsearch command
> > > i should use the authzTo attribus as you said
> >
> > But, you haven't explained if or why you need to authorize to different
> > users.
> > IMHO, it looks plainly as if you have been using the -X flag by mistake
> > ...
> >
> > The document you referred to doesn't use -X anywhere, only -x in the case
> > of
> > simple binds.
> >
> > I want to do sasl bind not simple bind that's why i use the -X flag! Am i
> 
> wrong?

Yes. -x is for simple binds. Without -x, you get SASL binds (it is the 
default, if your software is compiled with SASL support). -X is not for 
forcing SASL, but for something a bit more obscure than what I think you want 
...

Here are some examples from a working OpenLDAP/Heimdal setup:

As a unix user:

Simple bind:

[bgmilne@tiger ~]$ ldapwhoami -x -D 
uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com -W
Enter LDAP Password:
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com


[bgmilne@tiger ~]$ kinit
bgmilne@RANGER.DNSALIAS.COM's Password:
[bgmilne@tiger ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_501
        Principal: bgmilne@RANGER.DNSALIAS.COM

  Issued           Expires          Principal
Mar 24 12:30:43  Mar 24 19:10:43  
krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM


SASL/GSSAPI:

[bgmilne@tiger ~]$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: bgmilne@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com
[bgmilne@tiger ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_501
        Principal: bgmilne@RANGER.DNSALIAS.COM

  Issued           Expires          Principal
Mar 24 12:30:43  Mar 24 19:10:43  
krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM
Mar 24 12:30:50  Mar 24 19:10:43  
ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM


Simple, anonymous:

[bgmilne@tiger ~]$ ldapwhoami -x
anonymous


SASL/EXTERNAL on ldapi

[bgmilne@tiger ~]$ ldapwhoami -x -H ldapi:/// -Y EXTERNAL
ldapwhoami: incompatible with authentication choice
[bgmilne@tiger ~]$ ldapwhoami -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=501+uidNumber=501,cn=peercred,cn=external,cn=auth
SASL SSF: 0
anonymous


As root:

For KDC's access to LDAP:

[root@tiger ~]# cat .ldaprc
SASL_MECH EXTERNAL
URI ldapi:///
[root@tiger ~]# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com


For nss_ldap etc. to enumerate users (e.g., would be identical on client-only 
hosts), so that proxy users are not required, and access is host-specific with 
no clear-text credentials on clients:


[root@tiger ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM

  Issued           Expires          Principal
Mar 24 12:22:01  Mar 24 19:02:01  
krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM
Mar 24 12:33:51  Mar 24 19:02:01  
ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM

[root@tiger ~]# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: host/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=host/tiger.ranger.dnsalias.com,ou=people,dc=ranger,dc=dnsalias,dc=com


> what are you suggesting to do with the users? I believe that there is not
> need to have
> all users authoirized but only two for example only these who i have in
> kerberos
> ldapmaste and kadmin/admin! am i right?

I don't know what you are trying to achieve.

> Take a look to my slapd.conf!

It's pointless without knowing what you are trying to achieve.

> My problem, is that i  want to do sasl bind with password and not only with
> dn because now i do sasl bind only with one of the authorized dn!

If you have Kerberos, why do you want to provide a password? You should 
instead be happy with a SASL GSSAPI bind, which is authenticated (but, not by 
password transfer in clear text to slapd).


Regards,
Buchan