[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication : Inappropriate authentication error

--On Monday, May 15, 2006 11:53 AM +0200 Benoit Callebaut <bc@cetic.be> wrote:

The behavior of  ldapsearch is not what I expected:
1 It asked be my "authorization name". Why ? I am already authenticated
by Kerberos (I have a ticket)
2 It doesn't map my name to a correct dn.

Here is the slapd.conf:
--- SNIP ---
# sasl-realm              TEST.CETIC.BE
sasl-host               pt-jv.cetic.be

Don't set sasl-host.

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by dn="cn=Manager,dc=pt-jv,dc=cetic,dc=be" write
        by dn="uid=ldapadm.+\+realm=TEST\.CETIC\.BE" write
        by dn="uid=bc.+\+realm=TEST\.CETIC\.BE" write
        by self write
        by Manager write
        by users read
        by anonymous auth

Your authz-regexp's aren't correct at all. Try this:

authz-regexp uid=(.*),cn=TEST.CETIC.BE,cn=gssapi,cn=auth uid=$1,ou=employees,ou=people,ou=Users,dc=pt-jv,dc=cetic,dc=be


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html