[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL auth not working
Dan White wrote:
> On 23/06/10 10:27 -0300, Diego Lima wrote:
>> I'm trying to set up openldap to authenticate using my kerberos
>> service, but I'm not having success so far.
>
>> The userPassword value translates to {SASL}diego.lima@USERS
IMO that's not needed for SASL/GSSAPI.
>> When I try to do an authenticated search on LDAP I see the following:
>>
>> # ldapsearch -D
>> krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
>> dc=domain,dc=com,dc=br '(objectClass=*)' -W
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>
> When doing a SASL bind, you should specify the same username that you are
> authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of
> a -D option:
>
> ldapwhoami -U diego.lima@USERS
He would also have to specify -Y GSSAPI.
And off course slapd has to be kerberized first to make this work.
> By default, the cyrus sasl library will not use saslauthd. You'll need to
> create a /usr/lib/sasl2/slapd.conf file with:
>
> pwcheck_method: saslauthd
Are you sure that's suitable for SASL/GSSAPI for Krb5?
Frankly I have some doubts because that's for password-based mechs.
Ciao, Michael.