Re: LDAP and authentication

--On Sunday, February 08, 2004 9:14 PM +0100 Matthijs <matthijs@cacholong.nl> wrote:

I'm using LDAP for account information. The passwords are stored in an
Kerberos database (Heimdal)

This is working pretty good but i want now samba also into my ldap tree
and windows machines in my network.

But now when i try to add something to my LDAP tree i get insufficient
 ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

When i try to search something wit SASL it works (my ticket
authenticates me right)

But when i try to add something with my ticket (SASL) then the server
says ldap_bind: Invalid credentials (49)

Then i try to add something with my ticket (SASL) and my user/pass and
that works:
server:~/cacholong# ldapadd -f ldap.ldif -D
"uid=ldapadm,dc=cacholong,dc=nl" -W Enter LDAP Password:
SASL/GSSAPI authentication started
SASL username: ldapadm@CACHOLONG.NL
SASL installing layers

I want to add or with my ticket or with a user/pass combination and not
both of them.

What is the output when you type "ldapwhoami" ? You need to add that kerberos identity to have write privileges into OpenLDAP. Right now you are forcing yourself to bind as uid=ldapadm, which I doubt is your username, which is what SASL/gssapi would see. For example, I give write access to uid=quanah,cn=accounts,dc=stanford,dc=edu. I use a sasl-regexp statement in slapd.conf to map me to that bind DN:

sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu


