[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds

{KERBEROS} is deprecated (I think). In order to use {SASL} you must compile OpenLDAP with a special option (--with-spasswd??). Have you done that?

   Best regards

Robert wrote:

I can't figure out what I am doing wrong.  I have successfully built and
install openldap 2.2.15 with cyrus sasl + gssapi/mit kerberos.  I can kinit
as a user and do sasl binds to the directory.  If I kinit and do ldapwhoami,
I can see the dn of the user in the directory because I have set the
sasl-regex directive.  The only missing thing is that I can't do a simple
bind to the directory as the user using their kerberos password.  I tried
putting {SASL}user@REALM.TLD and {KERBEROS}user@REALM.TLD for the
userPassword attribute but I keep getting "Invalid Credentials."

I start ldap with:
env KRB5_KTNAME=/etc/openldap/ldap.keytab slapd -u ldap -g ldap -h "ldap:///

The file /etc/openldap/ldap.keytab is readable to the ldap user and contains
the ldap/fully.qualified.hostname principal.

Am I missing something?
Thanks in advance.