[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with Kerberos SASL bind to LDAP

I'm currently trying to build a whole new authentication and user
database system.  I'm using OpenLDAP (2.0.14) to store all the various
bits and pieces about the users and Kerberos (MIT 1.2.2) to do all the
authentication.  I've got bits and pieces working nicely.  So far, so

I was about to describe how I was having a couple of issues, but I think
I've just had an epiphany.  When you're doing a SASL bind, the
authentication id is your Kerberos principal, correct?  And the
authorization id is the DN you want to bind as, right?

If so, that neatly brings me onto the second issue.  How do I associate
a particular kerberos principal with a particular DN?  I currently get
from the server:

SASL Authorize [conn=5]: "ldapadm" as \
  "dn:cn=ldapadm,ou=People,dc=wossname,dc=org,dc=uk" disallowed. No \

when I attempt to bind with something along the lines of:

drusilla:/var/tmp/openssl-0.9.6a# ldapsearch -X \
  dn:"cn=ldapadm,ou=People,dc=wossname,dc=org,dc=uk" \
  -H ldap://ldap.wossname.org.uk/ -ZZ -s base -b "" supportedSASLMechanisms

However, if I try with:

drusilla:/var/tmp/openssl-0.9.6a# ldapsearch -X ldapadm
  -H ldap://ldap.wossname.org.uk/ -ZZ -s base -b "" supportedSASLMechanisms

it works OK.  If I try *anything* else with as the authorization id
(including ldapadm@WOSSNAME.ORG.UK), it fails in the same way as

Another thing I've noticed ... I've been following the howto at
http://www.bayour.com/LDAPv3-HOWTO.html which has proved to be
particularly helpful.  However, I'm having trouble with the following
access stanza in slapd.conf:

access to *
        by dn="cn=admin,ou=People,dc=wossname,dc=org,dc=uk" write
        by dn="uid=ldapadm.+\+realm=WOSSNAME.ORG.UK" write
        by * read

I don't get the second 'by dn=...' line.  Would somebody care to explain
it?  Having played around, I've discovered that it doesn't match my bind
against the database above which successfully binds.  If I reduce it to

access to *
	by dn="uid=ldapadm" write

it does work.

This probably doesn't make much sense.  I'm currently way out of my
depth with trying to understand all this.  Any help would be greatly
graeme+sig@mathie.cx                          http://www.mathie.cx/~graeme/