[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos



Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...
kerberos attributes on the ldap php side are:
*krb5KDCFlags
*krb5KeyVersionNumber
*krb5MaxLife
*krb5MaxRenew
*krb5PrincipalName

objectClass
*krb5Principal
*krb5KDCEntry



sasl configs:

log_level: -1
pwcheck_method:auxprop saslauthd
mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5
auxprop_plugin: ldapdb
ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///
ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr
ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY
ldapdb_mech: GSSAPI EXTERNAL
ldapdb_starttls: try


My access list is :
access to * by * write

but i also set up as i saw on the sasl-regexp config the mapping below
sasl-regexp
    uid=(.+),cn=(.+),cn=.+,cn=auth
    ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))
sasl-regexp
    uid=(.+),cn=.+,cn=auth
    ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR))
sasl-regexp
    uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth
    cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr

+
i have an idea of making work like the one below so as to give access to all of the users registered
requiring them a password is that correct:

# This is needed so sasl-regexp/GSSAPI works correctly
access to attrs=krb5PrincipalName
    by anonymous auth

# Kerberos attributes may only be accessible to root/ldapmaster
access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
    by * none

# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable
access to attrs=userPassword
    by anonymous auth

# Anything else we may have forgotten is writable by admin, and viewable by authenticated users
access to dn.subtree="dc=teipir,dc=gr"
    by users read


when i do like :
ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255

and although i set up to require a password (on the sasl config )

and i get something like that:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
        additional info: SASL(-14): authorization failure: not authorized

or when i use any other command client side i have full access to the tree with no password required






2010/3/19 Dan White <dwhite@olp.net>
On 19/03/10 12:39 +0200, Μανόλης Βλαχάκης wrote:
Hallo there everyone

i hope you can help me with my issue cause it really bothers me for a week

i set up an ldap on gentoo and after modifying heimdal kerberos and tls
i am stuck to that point:
i get these errors...

additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

+

AS-REQ host/proof.teipir.gr@TEIPIR.GR <http://teipir.gr/> from

IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
<http://teipir.gr/>@TEIPIR.GR<http://teipir.gr/>

2010-03-18T16:32:58 Client sent patypes: none
2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@
TEIPIR.GR <http://teipir.gr/>

2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/
proof.teipir.gr@TEIPIR.GR <http://teipir.gr/>

2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12

Is there one host involved or two, and do they both have valid credential
caches (klist)?

Does your openldap user have access to /etc/krb5.keytab? What does your
cyrus sasl config look like (if it exists)?

Assuming you're using an ldapsearch command from the client, what options
are you passing?

Do you have any custom SASL config items in your openldap config
(sasl-host, sasl-realm or sasl-secprops)?

--
Dan White



--
Manolis Vlachakis

Nelly's Family Hotel
Visit    :   www.nellys-hotel.gr
              www.nellys.gr
Skype : manolis.vlachakis