[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Getting SASL working



-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Sent: Thursday, December 30, 2004 1:49 PM
To: Jonathan Reeder; openldap-software@OpenLDAP.org
Subject: Re: Getting SASL working


--On Thursday, December 30, 2004 1:08 PM -0600 Jonathan Reeder
<jreeder@nscnet.com> wrote:

>>
>> I've got a working OpenLDAP 2.2 running, and I can use simple binds to
>> both modify and query the directory.  However, I'm getting an error when
>> I try to bind with SASL.  The error is:
>>
>># ldapsearch -b "dc=mydomain,dc=com" "(objectclass=*)"
>> ldap_sasl_interactive_bind_s: No such object
>>
>> I have an ldap-readable keytab with a single principle -
>> ldap/fqdn@MYREALM.COM and I've defined KRB5_KTNAME in my environment.  I
>> also have my rootdn set up to be "uid=ldapadmin,cn=gssapi,cn=auth".  I
>> can kinint ldapadmin, receive the ticket, but then I get that "No such
>> object" error when I try to run an ldapsearch.
>>
>> Any pointers?  Thanks a bunch.

>You are missing the Kerberos domain component.  The identity coming in will
>be:
>
>uid=ldapadmin,cn=<Kerberos domain>, cn=gssapi, cn=auth
>
>For example, my SASL DN comes in as:
>
>uid=quanah,cn=stanford.edu,cn=gssapi,cn=auth
>
>--Quanah


------- Jonathan Reeder's Reply -----------

Thanks a bunch for the tip, I'm sure that would have caused me trouble in
the future.  However, unfortunately, I'm still getting the same error after
modifying my slapd.conf and restarting.

I don't know if my slapd.conf would be helpful to anyone, but here it is:

$ cat slapd.conf
include         /usr/local/etc/openldap/schema/core.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# SASL stuff
sasl-host <FQDN.of.this.host>
sasl-realm <MYREALM.COM>
#sasl-secprops  noplain,noanonymous,minssf=56

# SSL/TLS stuff
TLSCipherSuite          HIGH
TLSCertificateFile      /usr/local/certs/host.cert
TLSCertificateKeyFile   /usr/local/certs/host.key
TLSCACertificateFile    /usr/local/certs/host.cert

database        bdb
suffix          "dc=<mydomain>,dc=com"
#rootdn         "cn=Manager,dc=<mydomain>,dc=com"
rootdn "uid=ldapadmin,cn=<MYREALM.COM>,cn=gssapi,cn=auth"
directory       /var/db/openldap-data
mode            0700
# Indices to maintain
index   objectClass     eq

# ACLs (just to test)
access to *
        by * read

Thanks again,

Jonathan