[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need SASL idiot-proof walkthrough

Digant Kasundra <digant@uta.edu> writes:

> Hello everyone,
> So far, no one has been able to decipher my SASL problem from my postings of
> log files and conf files etc.  I have even cleanly reinstalled my machines.
> There is something basic and simple and stupid that I must be missing.  Can
> someone please give me a step-by-step walkthrough based on the following
> information so I could make doubly sure that I am doing things properly?
> I have a KDC (running MIT KRB) on labrador.kerb.uta.edu.  I have an OpenLDAP
> 2.2.7 box running on omicron.kerb.uta.edu. I have a realm KERB.UTA.EDU.  I
> have a user dn: uid=digant,cn=people,dc=uta,dc=edu.
> An idiot-proof walkthrough would really help and I *KNOW* that's asking a
> lot out of people and I wholely apologize for that.  I've done it on my own
> and no one can see a problem with the way I did it but it still doesn't
> work.  So if someone can give me a step by step on which principals to
> create, what entry to create in the LDAP and what to put in the slapd.conf
> (and any other important steps), I promise I will buy you a pizza!
> (I won't detail how I've been doing it so far b/c I don't want to prejudice
> the feedback)

1. ldapsearch -x -b "" -s base supportedSASLMechanisms
   should show
   supportedSASLMechanisms: GSSAPI
2. create a principal for ldap/your.host@YOUR.REALM
3. read man slapd.conf(5) in particular on sasl-regexp
4. add a sasl-regexp to slapd.conf
5. ldapseach -Y GSSAPI -U <user> -H ldap://your.host -b"<your base>"

I found that some versions of cyrus-sasl are case sensitive with
regard to mechanisms, so I stick to upper case notation.

Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de