[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with GSSAPI problem



Hello,

"Shaick" <shaick_mlist1@lycos.co.uk> writes:

> Hello Dieter,
>
> Thanks for correcting me.I am really not clear with sasl-regexp syntax.
>
> I have corrected the synax now as,
> sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
>
> ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)
>
>
> But still i have the same error.
>
> # ./ldapsearch -Y GSSAPI -U s001
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI Failure
>
> The extra steps i did for SASL GSSAPI is,
> 1. specify "sasl-regexp" as,
>
> sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
>
> ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)
>
> 2. Modify  "userPassword" in LDIF file as,
> userPassword: {KERBEROS}principal@REALM
>
> 3. Add the user in Kerberos REALM (say s001)
>
> 4. kinit s001
>
> 5. ./ldapsearch -Y GSSAPI -U s001
>
> Please I let me know if i miss any thing in step.

Frankly, I use MIT krb5 myself and I don't have any userPassword
attribute in my entries, furthermore my saslregexp is a bit diffrent
from Turbo's as I use the uid attribute to identify users

saslRegexp
     uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
     ldap:///o=avci,c=de??sub?uid=$1 
saslRegexp
    uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
    uid=$1,o=avci,c=de

When looking at your regex I'm wondering wether you have in your real
slapd.conf replaced @REALM with your real REALM

I would recommend to test your setup with the sasl test suit, that is
sample/server and sample/client in the cyrus-sasl tarball, and watch
the authentication string.

As root start 'sample/server -s ldap'
as user start 'sample/client -s ldap -m GSSAPI your.host'

-Dieter
 

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de