[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Kerberized LDAP not accessible
- To: openldap-technical@openldap.org
- Subject: Kerberized LDAP not accessible
- From: Thomas Schweikle <tps@vr-web.de>
- Date: Fri, 21 Jan 2011 11:45:53 +0100
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; de-DE; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
Hi!
I kerberized ldap:
dn: cn=config
objectClass: olcGlobal
cn: config
olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth
uid=$1,ou=Users,dc=example,dc=com
olcSaslHost: srv.example.com
olcSaslRealm: EXAMPLE.COM
In /etc/ldap/ldap.conf:
BASE dc=example,dc=com
URI ldap://srv.example.com
SASL_MECH GSSAPI
In /etc/ldap.conf
base dc=example,dc=com
uri ldap://srv.example.com
ldap_version 3
rootbinddn cn=adm,dc=example,dc=com
pam_password md5
I now try to connect to my ldap server:
client:~$ kinit user
Password for user@EXAMPLE.COM:
client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@EXAMPLE.COM
Valid starting Expires Service principal
01/21/11 11:32:03 01/21/11 21:32:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 01/22/11 11:31:58
client:~$ ldapsearch -H ldap://srv.example.com
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
client:~$ ldapsearch -D uid=user,dc=example,dc=com -H
ldap://srv.example.com
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password)
disallowed
The user in question exists:
dn: cn=user user,ou=Users,dc=example,dc=com
givenName: user
sn: user
cn: user user
uid: user
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user
loginShell: /bin/zsh
Any idea what is wrong? As far as I see:
I do have a tgt and thus I shall be authenticated. But I am not
granted access! Any idea why?
--
Thomas