[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5



I took Turbo's advice and created some saslRegexp similar to his for my
directory.  I do not use the userPassword in LDAP at all.  I would look
at his saslRegexp in this thread though as it is quite different from
yours.  Anyhow, doing ldapwhoami works great for me now and I'm still
not authenticating with LDAP at all (see other notes in this thread
about why that is a real problem - I have seen the light :)).  

Thanks to everyone else for their respective responses!

Ben

On Wed, 2003-08-06 at 12:14, Lewis Thompson wrote:
> On Wed, Aug 06, 2003 at 11:23:57AM -0400, Stephen Frost wrote:
> > It might be enough to compile with --enable-spasswd (SASL) and to then
> > use {SASL} in the userPassword.  I'd like to know if this actually works
> > or not...
> 
> I have the following entry:
> 
> dn: uid=lewiz,ou=People,dc=lewiz,dc=org
> uid: lewiz
> cn: Lewis Thompson
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: krb5Principal
> krb5PrincipalName: lewiz@LEWIZ.ORG
> userPassword:: e1NBU0x9bGV3aXpATEVXSVouT1JH
> loginShell: /bin/csh
> uidNumber: 4001
> gidNumber: 4001
> homeDirectory: /home/lewiz
> gecos: Lewis Thompson
> 
>   The userPassword was entered as {SASL}lewiz@LEWIZ.ORG.  I have
> openldap21 compiled with --enable-spasswd (no --enable-kpasswd) and I
> have the following saslRegexp:
> 
> saslRegexp
>     uid=(.*),cn=(.*),cn=GSSAPI,cn=auth
>     uid=$1,dc=lewiz,dc=org
> 
>   When I try ldapwhoami:
> 
> # ldapwhoami
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
> 
>   I have a valid ticket:
> 
> # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: lewiz@LEWIZ.ORG
> 
>   Issued           Expires          Principal
> Aug  6 16:06:04  Aug  7 02:06:04  krbtgt/LEWIZ.ORG@LEWIZ.ORG
> Aug  6 16:06:07  Aug  7 02:06:04  ldap/orange.lewiz.org@LEWIZ.ORG
> 
>   I've been having troubles with this for a while; I thought it was
> because I was trying to use {KERBEROS} but I get the same with {SASL}.
> This is FreeBSD, not Debian but it might be of some use to you.
> 
>   Best wishes,
> 
> -lewiz.
-- 
Benjamin Krein
www.superk.org