[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and authentication

--On Sunday, February 08, 2004 9:14 PM +0100 Matthijs <matthijs@cacholong.nl> wrote:

I'm using LDAP for account information. The passwords are stored in an
Kerberos database (Heimdal)

This is working pretty good but i want now samba also into my ldap tree
and windows machines in my network.

But now when i try to add something to my LDAP tree i get insufficient
 ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

When i try to search something wit SASL it works (my ticket
authenticates me right)

But when i try to add something with my ticket (SASL) then the server
says ldap_bind: Invalid credentials (49)

Then i try to add something with my ticket (SASL) and my user/pass and
that works:
server:~/cacholong# ldapadd -f ldap.ldif -D
"uid=ldapadm,dc=cacholong,dc=nl" -W Enter LDAP Password:
SASL/GSSAPI authentication started
SASL username: ldapadm@CACHOLONG.NL
SASL installing layers

I want to add or with my ticket or with a user/pass combination and not
both of them.

What is the output when you type "ldapwhoami" ? You need to add that kerberos identity to have write privileges into OpenLDAP. Right now you are forcing yourself to bind as uid=ldapadm, which I doubt is your username, which is what SASL/gssapi would see. For example, I give write access to uid=quanah,cn=accounts,dc=stanford,dc=edu. I use a sasl-regexp statement in slapd.conf to map me to that bind DN:

sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"Why of course the people don't want war. . . . That is understood. But,
after all, it is the leaders of the country who determine the policy and it
is always a simple matter to drag the people along, whether it is a
democracy, or a fascist dictatorship, or a parliament, or a communist
dictatorship. Voice or no voice, the people can always be brought to the
bidding of the leaders. That is easy. All you have to do is tell them they
are being attacked, and denounce the peacemakers for lack of patriotism and
exposing the country to danger. It works the same in any country."
--Hermann Goering, Nazi officer, during his Nuremberg war crimes trial