[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos



Made what?
i solved the SQL error showing on the log...i deleted the libs..


A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have a
Kerberos TGT, or valid service tickets. Please show the output of 'klist'
*klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: ldapmaster@TEIPIR.GR

  Issued           Expires          Principal
Mar 23 17:35:52  Mar 24 03:35:52  krbtgt/TEIPIR.GR@TEIPIR.GR
Mar 23 17:36:20  Mar 24 03:35:52  ldap/proof.teipir.gr@TEIPIR.GR


 
Which problem are we trying to solve? The GSSAPI bind, or the access lists? If
you want GSSAPI bind, maybe you should concentrate on it first, as your access
lists may be different for the case where you have GSSAPI working vs not.
the problems i face today are

1)when i try to search 
the authorizes  users i created as read at the( http://www.openinput.com/auth-howto/ar01s06.html#d0e781   which followed in every step i did)i get no message asking a password and continues  at ones the search
 
+
a general question ..
my project is retrieving data form an ldap tree through a PHP application with the most secure way possible

should i only authorize the admins or all the sub entries of a "leaf" on our ldap tree(user names,pass...e.t.c. of the users )




P.S.:i attach you my slap.conf so as to get the full idea of my settings,(i gan paste you my sasl configs too)



 Thank you very much!!
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
#include        /etc/openldap/schema/misc.schema
#include        /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/krb5-kdc.schema

loglevel -1

# Misc options
# Maximum number of entries to return from a search operation. Useful
# to prevent trolling of directory by spammers, etc.

sizelimit   20

# Maximum size of the primary thread pool.

threads     8
allow bind_v2

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


sizelimit   20

# Maximum size of the primary thread pool.

threads     8
allow bind_v2

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


# Load dynamic backend modules:
modulepath      /usr/lib/openldap/openldap
# moduleload    back_shell.so
# moduleload    back_relay.so
# moduleload    back_perl.so
moduleload      back_passwd.so
# moduleload    back_null.so
# moduleload    back_monitor.so
# moduleload    back_meta.so
moduleload      back_hdb.so
# moduleload    back_dnssrv.so

#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:


#Mapping of SASL authentication identities to LDAP entries

sasl-regexp
    uid=(.*),cn=(.*),cn=.*,cn=auth
    ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))
sasl-regexp
    uid=(.*),cn=.*,cn=auth
    ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR))
sasl-regexp
    uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth
    cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr

# This is needed so sasl-regexp/GSSAPI works correctly
#access to attrs=krb5PrincipalName
#    by anonymous auth

# Kerberos attributes may only be accessible to root/ldapmaster
#access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb$
#    by * none

# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable
#access to attrs=userPassword

#access to *
#        by dn="cn=M@nSpi,dc=teipir,dc=gr" write
#        by dn="cn=Vlachakis Emmanouil,ou=Managers,dc=teipir,dc=gr" write
#        by dn="cn=Oikonomakis Spyridwn,ou=Managers,dc=teipir,dc=gr" write
#       by users read
#       by * write
#       by * auth

access to * by * write


# CA signed certificate and server cert entries:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/openldap/ssl/voikocrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/voikokey.pem

# Use the following if client authentication is required
TLSVerifyClient try
# ... or not desired at all
#TLSVerifyClient never

#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# BDB database definitions
#######################################################################

database        hdb
suffix dc=teipir,dc=gr
#         <kbyte> <min>
checkpoint      32      30



rootdn cn=M@nSpi,dc=teipir,dc=gr

#rootdn      "cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY


# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 rec

directory       /var/lib/openldap-data

# Indices to maintain

#index  objectClass     eq
#index cn,sn,uid pres,eq,approx,sub
#index objectClass eq


index   default     eq,pres

directory       /var/lib/openldap-data

# Indices to maintain

#index  objectClass     eq
#index cn,sn,uid pres,eq,approx,sub
#index objectClass eq


index   default     eq,pres
index   objectClass             eq
index   cn,sn,givenname,mail    eq,pres,sub
index   uid,uidNumber,gidNumber
index   memberUid
index   krb5PrincipalName,krb5PrincipalRealm

security simple_bind=64