[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5



On Wed, Aug 06, 2003 at 11:23:57AM -0400, Stephen Frost wrote:
> It might be enough to compile with --enable-spasswd (SASL) and to then
> use {SASL} in the userPassword.  I'd like to know if this actually works
> or not...

I have the following entry:

dn: uid=lewiz,ou=People,dc=lewiz,dc=org
uid: lewiz
cn: Lewis Thompson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
krb5PrincipalName: lewiz@LEWIZ.ORG
userPassword:: e1NBU0x9bGV3aXpATEVXSVouT1JH
loginShell: /bin/csh
uidNumber: 4001
gidNumber: 4001
homeDirectory: /home/lewiz
gecos: Lewis Thompson

  The userPassword was entered as {SASL}lewiz@LEWIZ.ORG.  I have
openldap21 compiled with --enable-spasswd (no --enable-kpasswd) and I
have the following saslRegexp:

saslRegexp
    uid=(.*),cn=(.*),cn=GSSAPI,cn=auth
    uid=$1,dc=lewiz,dc=org

  When I try ldapwhoami:

# ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

  I have a valid ticket:

# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: lewiz@LEWIZ.ORG

  Issued           Expires          Principal
Aug  6 16:06:04  Aug  7 02:06:04  krbtgt/LEWIZ.ORG@LEWIZ.ORG
Aug  6 16:06:07  Aug  7 02:06:04  ldap/orange.lewiz.org@LEWIZ.ORG

  I've been having troubles with this for a while; I thought it was
because I was trying to use {KERBEROS} but I get the same with {SASL}.
This is FreeBSD, not Debian but it might be of some use to you.

  Best wishes,

-lewiz.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
------------------------------------------------------------------------
-| msn:purple@lewiz.net | jab:lewiz@jabber.org | url:http://lewiz.net |-

Attachment: pgpoJnbvyxHDN.pgp
Description: PGP signature