[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with SASL and GSSAPI

To: openldap-software@OpenLDAP.org
Subject: Re: Problem with SASL and GSSAPI
From: Turbo Fredriksson <turbo@bayour.com>
Date: 17 Mar 2001 16:17:36 +0100
In-reply-to: Jean-Eric Cuendet's message of "Fri, 16 Mar 2001 19:24:19 +0100"
Organization: LDAP/Kerberos expert wannabe
References: <B45465FD9C23D21193E90000F8D0F3DF683A7D@mailsrv.linkvest.com>
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

Quoting Jean-Eric Cuendet <Jean-Eric.Cuendet@linkvest.com>:

> > If you had read the error message, you would understand.
> > 'No such object' means, that right, there is no such
> > object.....
> 
> Thanks but it was not the error message I have problem with :-)
> 
> > If using -D, -W and -w, then you must use -x to (you're using simple
> > bind). If you want to use GSSAPI bind, use -I or -U (AFTER running
> > kinit).
> 
> OK, so if I use:
> [root@testbed openldap]# ldapmodify -f sample.ldif -r -I
> It would be OK?
> I have always the same error:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Unknown error
>         additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure;
> Permission denied;

I assume that you have executed 'kinit' to get a ticket... Now it's time
to update the slapd ACL's to allow that principal to write to that part
of the tree/that attribute...

Checking your previous mails, that should be 'jec@LINKVEST.COM'... But on
the other hand, you are running that ldapmodify command as root, so it's
probably trying to authenticate with 'root@LINKVEST.COM'. Try specifying
'-U joe' (or '-U joe@LINKVEST.COM', see below) instead of -I.


Just a simple example how a ACL would look like, assuming that you want
jec@LINKVEST.COM to have full write access under dc=linkvest,dc=com.

----- s n i p -----
access to dn=".*,dc=linkvest,dc=com"
        by dn="uid=jec\+realm=LINKVEST.COM" write
----- s n i p -----

I _THINK_ this is the way it's supposed to work... It depends if you have
the same bug in SASL as I do (I haven't found a fix for that yet).

To double check if you should use the '\+realm=LINKVEST.COM' part, run
slapd with '-d -1' and look for 'slap_sasl_bind: username=....'.

If the 'realm=...' part is there, then you should use the realm above,
othervise, you have found a serious bug in SASL. It's supposed to be
fixed in v1.5.24. But I'm running that version and still have the
problem that the realm part is not there. Granted, I'm using a slightly
modified Debian GNU/Linux package, and according to Kurt (I think it
was) about two weeks ago, the bug doesn't appear if compiling/installing
from the original tarball...




-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

Follow-Ups:
- Re: Problem with SASL and GSSAPI
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>

References:
- RE: Problem with SASL and GSSAPI
  - From: Jean-Eric Cuendet <Jean-Eric.Cuendet@linkvest.com>

Prev by Date: Re: Cool Web / Shell Interfaces?
Next by Date: Export from LDAP to /etc/passwd?
Index(es):
- Chronological
- Thread