Chastity Blackwell wrote:
On Thu, 2012-01-26 at 17:38 -0500, Howard Chu wrote:Raffael Sahli wrote:No, authz-regexp is to map a sasl dn to a real user account in your ldap directory. But your user is chas@test.com with a realm named test.com, your userPassword should be {SASL}chas@KRBTESTWhat the heck are you talking about? If the username is chas@test.com then that is what goes in the password: userpassword: {SASL}chas@test.com If the realm is actually KRBTEST then the username should be chas@KRBTEST.and also exists as a principal on your kerberos db ;)Okay, I'm a little confused here now.
Clearly.
So here's what I have in krb5.conf:
Does kinit work for your chas@KRBTEST user? Judging from what you've pasted here, I don't think it should. Get your basic Kerberos installation working first. Take things one step at a time.
[libdefaults]
default_realm = KRBTEST
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
AKTEST = {
kdc = ldapsandbox.test.com:88
admin_server = ldapsandbox.test.com:749
default_domain = test.com
}
[domain_realm]
.agkn.net = KRBTEST
agkn.net = KRBTEST
And when I look at my principals in Kerberos, this is what I have:
kadmin: listprincs
K/M@KRBTEST
chas/admin@KRBTEST
chas@KRBTEST
host/ldapsandbox.test.com@KRBTEST
kadmin/admin@AKTEST
kadmin/changepw@AKTEST
kadmin/history@AKTEST
kadmin/ldapsandbox.test.com@KRBTEST
krbtgt/KRBTEST@KRBTEST
ldap/ldapsandbox.test.com@KRBTEST
root/admin@KRBTEST
So what should the userPassword attribute be set to? I assumed it should
be {SASL}chas@KRBTEST -- is that correct? I just want to make sure I'm
on the right track there.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/