[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap using Active Directory Kerberos password

To: tuliol@sybatech.com
Subject: Re: Openldap using Active Directory Kerberos password
From: Frank Swasey <Frank.Swasey@uvm.edu>
Date: Tue, 29 Jun 2004 06:27:10 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <1088475443.40e0d1338af8c@portal.sybatech.com>
References: <1088025680.40d9f4502cbc5@portal.sybatech.com> <Pine.WNT.4.60.0406240854490.3476@SOFDL01.pnzchf.nq.hiz.rqh> <1088093529.40dafd590e441@portal.sybatech.com> <1088169480.40dc26089ec46@portal.sybatech.com> <Pine.LNX.4.58.0406280742320.2658@ybpnyubfg.ybpnyqbznva> <1088475443.40e0d1338af8c@portal.sybatech.com>

Please do not mail me personally, keep it on the list.

On Mon, 28 Jun 2004 at 9:17pm, tuliol@sybatech.com wrote:

> Hi Frank,
> Thanks for your reply.
> I changed the userPassword: {SASL}stest75@AD.INST.EDU
>
> The saslauthd is running (/usr/local/sbin/saslauthd -a pam) and I have
> a /usr/lib/sasl2/slapd.conf with the following:

Does the testsaslauthd program work?  If that doesn't work, nothing else
will.  I run saslauthd with -a kerberos myself, but if pam is going to
validate stest75@AD.INST.EDU as a valid userid then I guess that will
work too.

> pwcheck_method:saslauthd
> saslauthd_path:/var/state/saslauthd/mux

Aside from spacing, that's exactly what my sasl2/slapd.conf file has in
it.

> The problem is that when I run a ldapsearch query that binds as the user
> uid=stest75 and the kerberos password it still gives me:
> ldap_bind: Invalid credentials (49) Incorrect Password or UserName
>
> Do I need to set these in slapd.conf:
> #sasl-realm
> #sasl-host
> #sasl-secprops  none

I don't use them in mine.

>
>
> Any ideas?

I am expecting that if you attempt with the testsaslauthd program that
it will fail too indicating that saslauthd is not successfully
validating users.

I use saslauthd -a kerberos, I have a keytab file that has the
host/<FQDN> key for each of my ldap servers in it (granted, the KDC I'm
working against is a DCE security server so it's not exactly the same as
using Active Directory).

>
> Thanks again
>
> Tulio
> Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
>
> > On Fri, 25 Jun 2004 at 8:18am, tuliol@sybatech.com wrote:
> >
> > > I got the OS to successfully used the MS AD kerberos password.
> > > Then I have the following in slapd.conf:
> >
> > Good.
> >
> > > userPassword: {KERBEROS}stest75@AD.INST.EDU
> > >
> > > Then when I try to do a bind using this account it fails.
> >
> > Oops!  You want that to be {SASL}stest75@AD.INST.EDU.  You are having
> > OpenLDAP use SASL and the saslauthd program will use Kerberos.
> >
> > Did you set up the /usr/lib/sasl2/slapd.conf file?  It should have the
> > "pwcheck_methid: saslauthd" line (possibly a "saslauthd_path:" directive
> > too)
> >
> > Frank
> >
> > > Any ideas?
> > >
> > > Tulio
> > >
> > >
> > > Quoting tuliol@sybatech.com:
> > >
> > > > Frank,
> > > > Thanks for your reply.  My OS (Redhat AS) currently is using local
> > accounts
> > > > and
> > > > not kerberos.  Is that the first step?  How do I figure out what the
> > Kerberos
> > > >
> > > > realm is for the MS AD?  Do you have instructions on how to configure
> > slapd
> > > > to
> > > > use saslauth once the os is ready?
> > > >
> > > > Thanks again
> > > >
> > > > Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
> > > >
> > > > > On Wed, 23 Jun 2004 at 4:21pm, tuliol@sybatech.com wrote:
> > > > >
> > > > > > I am trying to use the kerberos password found in Microsoft active
> > > > > > directory as the userPassword for my Openldap directory.  Has
> > anybody
> > > > > > been sucessful in setting this up?
> > > > > >
> > > > > > Any help would be greatly apprectiated.
> > > > >
> > > > > Have you successfully configured your OS to use the MS AD Kerberos
> > > > > password?  If so, you should be able to configure it the same we
> > several
> > > > > of us have to talk to either Heimdal or MIT K5 KDC's (using
> > > > > {SASL}principal@realm as the userPassword value and configuring slapd
> > to
> > > > > use saslauthd).
> > > > >
> > > > > --
> > > > > Frank Swasey                    | http://www.uvm.edu/~fcs
> > > > > Systems Programmer              | Always remember: You are UNIQUE,
> > > > > University of Vermont           |    just like everyone else.
> > > > >          === God bless all inhabitants of your planet ===
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> > --
> > Frank Swasey                    | http://www.uvm.edu/~fcs
> > Systems Programmer              | Always remember: You are UNIQUE,
> > University of Vermont           |    just like everyone else.
> >         === God bless all inhabitants of your planet ===
> >
>
>
>
>

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
        === God bless all inhabitants of your planet ===

Follow-Ups:
- Re: Openldap using Active Directory Kerberos password
  - From: tuliol@sybatech.com

References:
- Openldap using Active Directory Kerberos password
  - From: tuliol@sybatech.com
- Re: Openldap using Active Directory Kerberos password
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: Openldap using Active Directory Kerberos password
  - From: tuliol@sybatech.com
- Re: Openldap using Active Directory Kerberos password
  - From: tuliol@sybatech.com
- Re: Openldap using Active Directory Kerberos password
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

Prev by Date: Re: Question on LDAP Client
Next by Date: Help with 2.2.13 install on Debian
Index(es):
- Chronological
- Thread