[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and authentication

Quanah Gibson-Mount <quanah@stanford.edu> writes:

> --On Sunday, February 08, 2004 9:14 PM +0100 Matthijs
> <matthijs@cacholong.nl> wrote:
>> I'm using LDAP for account information. The passwords are stored in an
>> Kerberos database (Heimdal)

>> But now when i try to add something to my LDAP tree i get insufficient
>> access:
>>  ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b
>> "dc=cacholong,dc=nl"
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>> When i try to search something wit SASL it works (my ticket
>> authenticates me right)
>> But when i try to add something with my ticket (SASL) then the server
>> says ldap_bind: Invalid credentials (49)
>> Then i try to add something with my ticket (SASL) and my user/pass and
>> that works:
>> server:~/cacholong# ldapadd -f ldap.ldif -D
>> "uid=ldapadm,dc=cacholong,dc=nl" -W Enter LDAP Password:
>> SASL/GSSAPI authentication started
>> SASL username: ldapadm@CACHOLONG.NL
>> SASL SSF: 56
>> SASL installing layers
>> I want to add or with my ticket or with a user/pass combination and not
>> both of them.
> What is the output when you type "ldapwhoami" ?  You need to add that
> kerberos identity to have write privileges into OpenLDAP.  Right now
> you are forcing yourself to bind as uid=ldapadm, which I doubt is your
> username, which is what SASL/gssapi would see.  For example, I give
> write access to uid=quanah,cn=accounts,dc=stanford,dc=edu.  I use a
> sasl-regexp statement in slapd.conf to map me to that bind DN:
> sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth
> ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu

No, Mathijs is trying a simple bind, that is, sasl is not
involved. Either uid=ldapadm has no entry and no userpasswd attribute,
or the value of userpasswd is wrong, but ldapadm is a principal thus
gssapi works fine.


Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de