[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP configuration ?

At 03:05 PM 1/29/01 +0200, Mika Saari wrote:
>  I have build OpenLDAP package with --enable-kpasswd and
>--with-cyrus-sasl. Also I have installed Kerberos server and succesfully
>utilized database with some principals, so I can "kinit" myself against
>kerberos server. I have utilized LDAP server (in simple -x mode) with
>some user entries. My understanding of OpenLDAP, Kerberos and SASL is
>really newbie level and I do not get all work like I would like to
>(Browsing mailing-list through still). So here are some questions.
>    1. I start server /usr/local/libexec/slapd -d 1 -h "ldap:///";. Now I
>can put entries to server if I use "-x" simple authentication with
>ldapadd and search with ldapsearch. But if trying to use SASL (without
>that -x) I get just error message: "ldap_sasl_interactive_bind_s: No
>such object".

This implies that "anonymous" cannot read the root DSE and hence
cannot discover which SASL mechanisms are supported.

>From debug I do notice that sasl_init is ok, but nothing
>else sasl dependent not found from debug information (Even if using -d
>-1). I do have TLSSertificateFile and TLSSertificateKeyFile created and
>added to slapd.conf (if there is any help from these for
>SASL authentication ?). What might be the problem ?

These are for TLS authentication, not SASL authentication.

>    2. What kind of changes I should do for my user entries which are in
>LDAP server if I want to use Kerberos authentication (currently test
>entry is using {crypt} encryption, and the password is saved in
>LDAP database).

If you intend to use SASL/GSSAPI Kerberos authentication, no
changes to your entries are required.  Authentication information
is held in Kerberos.

>    3. What kind of configurations I have to do to ldap.conf and
>slapd.conf for Kerberos authentication ?

None should be needed.