[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Newbie gets reamed by openldap, kerberos, and sasl... please help.



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Hua Ying Ling

> So it seemed like a simple task... use openldap without anonymous bind
> and verify the username and password sent in the clear to slapd using
> kerberos5. Before you jump on us we are adding SSL after we get it
> working).  We have RFM. FMini-How-To, etc.,and spent 3 weeks on this
> problem with no luck.   We have attempted this on Solaris 8 and MacOS X
> 10.2 with the same result.
>
> So what we used
> KERBEROS V - on solaris we built MIT latest and were able to kinit on
> MacOS X took the shipping version and was able to kinit and also use
> the loginwindow with kerberos enabled.

Unless you've added the locking patches that were mentioned (on this list or
the Cyrus list, I don't recall), using the MIT Kerberos libraries is a recipe
for disaster.

> SASL 2.1.15

> Great but we have to allow a client (the ldap V3 plug-in in MacOS X
> directory Services) which can not use the GSSAPI or any SASL bind
> mechanism.  In other words we need to do a simple bind with a
> password
> checked against. kerberos V.  Various documentation leads us
> to believe
> we need saslauthd for this but we can never seem to make openldap use
> saslauthd.

First make sure the SASL sample-server and sample-client work using the
saslauthd. There's nothing in OpenLDAP that controls that, it's purely a SASL
configuration issue. This is not the same as testsaslauthd (which I see from
the Cyrus-SASL list that you've already gotten working).

Once you have SASL configured correctly, there's nothing else to touch.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support