[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos

To: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>
Subject: Re: Preauth error ldap heimdal kerberos
From: Dan White <dwhite@olp.net>
Date: Mon, 22 Mar 2010 09:09:38 -0500
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <94f77e481003220349m4753ddffkd7d7716f62ccf120@mail.gmail.com>
References: <94f77e481003190339u2ec3d628we25acd520486a30d@mail.gmail.com> <20100319214922.GI4718@dan.olp.net> <94f77e481003220349m4753ddffkd7d7716f62ccf120@mail.gmail.com>
User-agent: Mutt/1.5.18 (2008-05-17)

On 22/03/10 12:49 +0200, Μανόλης Βλαχάκης wrote:

Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...

sasl configs:
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*


Is this your slapd.conf sasl config? If so, you should be using the
internal 'slapd' auxprop plugin rather that ldapdb:

auxprop_plugin: slapd

My access list is :
*access to * by * write*

but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
*    uid=(.+),cn=(.+),cn=.+,cn=auth*
*    ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))*
*sasl-regexp*
*    uid=(.+),cn=.+,cn=auth*
*    ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR
))*
*sasl-regexp*
*    uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
*    cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*

+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
*    by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
*    by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable*
*access to attrs=userPassword*
*    by anonymous auth*
* *

I use

access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP
	by anonymous auth
	by self write
	by * none

when i do like :
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*

and although i set up to require a password (on the sasl config )

and i get something like that:

*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
*        additional info: SASL(-14): authorization failure: not authorized*
*


--
Dan White

Follow-Ups:
- Re: Preauth error ldap heimdal kerberos
  - From: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>

References:
- Preauth error ldap heimdal kerberos
  - From: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>
- Re: Preauth error ldap heimdal kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Preauth error ldap heimdal kerberos
  - From: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>

Prev by Date: Re: max open files
Next by Date: Re: Preauth error ldap heimdal kerberos
Index(es):
- Chronological
- Thread