RE: Need SASL idiot-proof walkthrough

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Friday, March 26, 2004 3:46 PM -0600 Digant Kasundra <digant@uta.edu> 
wrote:

> I have done the sample-server and sample-client and successfully got to
> the "Negotiation complete" part.  But OpenLDAP is still giving me
> problems:
>
> do_sasl_bind: dn () mech GSSAPI
> SASL [conn=32] Failure: GSSAPI Error: Miscellaneous failure (see text)
> (Decrypt integrity check failed)
>
> The sasl tests work, kinit works, ???  I'm not sure what the problem could
> be.  I do have an entry for dn: uid=digant,cn=people,dc=uta,dc=edu and my
> slapd.conf file has the following:
>
> (I do notice that the bind dn is "" which makes me think my sasl-regexp is
> fubar.)
>
> sasl-realm "KERB.UTA.EDU"
> sasl-host labrador.kerb.uta.edu
> sasl-regexp uid=(.*),cn=kerb.uta.edu,cn=gssapi,cn=auth
> ldap:///uid=$1,cn=people,dc=uta,dc=edu??sub

This is definitely not a valid regexp.

First, run slapd as -d -1 and see what your bind instance is, that will 
probably help a bit.

Second, if you don't need to do a search down into the tree, which it looks 
like you don't, you could simply do:

sasl-regexp uid=(.*),cn=kerb.uta.edu,cn=gssapi,cn=auth 
uid=$1,cn=people,dc=uta,dc=edu

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html