[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: client server connection to LDAP/Kerberos

To: Asmaa Ahmed <asabatgirl@hotmail.com>
Subject: Re: client server connection to LDAP/Kerberos
From: Dan White <dwhite@olp.net>
Date: Fri, 1 Feb 2013 13:53:29 -0600
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <SNT140-W102D0D30AB5D8D7D139BDEDB1D0@phx.gbl>
References: <SNT140-W102D0D30AB5D8D7D139BDEDB1D0@phx.gbl>
User-agent: Mutt/1.5.21 (2010-09-15)

On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:

Hello,

I recently added Kerberos authentication to my LDAP server, and I am trying
to connect the other servers to it.
I have a server running Davical shared calendar, and I hope to get it
working with my LDAP server again after Kerberos integration.

Here is my configuration which was working before the integration and my
source is
"http://wiki.davical.org/w/Configuration/LDAP#Kerberos_Authentication";

 $c->authenticate_hook['config'] = array(
   'host'          => 'ldap.domain.com', //host name of your LDAP Server
   'port'          => '389', //port
//    'bindDN'        => 'cn=admin,dc=domain,dc=com', //DN to bind request
//    to this server (if required)
//    'passDN'        => 'password', //Password of request bind
   'baseDNUsers'   => 'ou=People,dc=domain,dc=com', //where to look for
valid user
   'filterUsers' => 'objectClass=*', //filter which must validate a user
according to RFC4515, i.e. surrounded by brackets
   'protocolVersion' => 3, // important for simple auth (no sasl)
//    'startTLS'    => true, // securing your LDAP connection
   'i_use_mode_kerberos' => "i_know_what_i_am_doing",

My slapd error logs:
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 fd=43 ACCEPT from
IP=203.28.247.193:56887 (IP=0.0.0.0:389)
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 BIND dn="" method=128
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 RESULT tag=97 err=0 text=
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH
base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH attr=uid
modifyTimestamp cn mail
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SEARCH RESULT tag=101
err=32 nentries=0 text=
Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=2 UNBIND

My OLC configuration:
root@ldap:/var/log# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
"(|(cn=config)(olcDatabase={1}hdb))"
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzRegexp: {0}uid=([^,]+),cn=domain.com,cn=gssapi,cn=auth uid=$1
,ou=people,dc=domain,dc=com
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcSaslRealm: DOMAIN.COM
olcToolThreads: 1

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by *
no
ne
olcAccess: {1}to dn.subtree="ou=krb5,dc=domain,dc=com" by dn="c
n=adm-srv,ou=krb5,domain,dc=com" write by dn="cn=kdc-srv,ou
=krb5,domain,dc=com" read by * none
olcAccess: {2}to attrs=loginShell,gecos by self write by users read by *
none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by users read by * none
olcLastMod: TRUE
olcRootDN: uid=admin,ou=people,domain,dc=com


Any suggestion to fix the binding and get my search working again with
kerberos authentication ?

Thanks.


Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y
GSSAPI) on the server which is running davical?

--
Dan White

Follow-Ups:
- RE: client server connection to LDAP/Kerberos
  - From: Asmaa Ahmed <asabatgirl@hotmail.com>

Prev by Date: Re: slapd-meta and tls_reqcert=allow
Next by Date: Re: slapd-meta and tls_reqcert=allow
Index(es):
- Chronological
- Thread