[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos

On 22/03/10 12:49 +0200, Μανόλης Βλαχάκης wrote:
Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...

sasl configs:
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps:// ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*

Is this your slapd.conf sasl config? If so, you should be using the
internal 'slapd' auxprop plugin rather that ldapdb:

auxprop_plugin: slapd

My access list is :
*access to * by * write*

but i also set up as i saw on the sasl-regexp config the mapping below
*    uid=(.+),cn=(.+),cn=.+,cn=auth*
*    ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))*
*    uid=(.+),cn=.+,cn=auth*
*    ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR
*    uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
*    cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*

*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
*    by anonymous auth*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
*    by * none*
*# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable*
*access to attrs=userPassword*
*    by anonymous auth*
* *

I use
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP
	by anonymous auth
	by self write
	by * none

when i do like :
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*

and although i set up to require a password (on the sasl config )

and i get something like that:

*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
*        additional info: SASL(-14): authorization failure: not authorized*

Dan White