[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos

Am Wed, 24 Mar 2010 12:04:57 +0200
schrieb Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>:

> 2010/3/24 Buchan Milne <bgmilne@staff.telkomsa.net>
> > On Tuesday, 23 March 2010 11:18:57 Μανόλης Βλαχάκης wrote:
> > > after reading the openldap admin guide you mentioned
> > > i understud that by using -X on the ldapsearch command
> > > i should use the authzTo attribus as you said
> >
> > But, you haven't explained if or why you need to authorize to
> > different users.
> > IMHO, it looks plainly as if you have been using the -X flag by
> > mistake ...
> >
> > The document you referred to doesn't use -X anywhere, only -x in
> > the case of
> > simple binds.
> >
> > I want to do sasl bind not simple bind that's why i use the -X
> > flag! Am i
> wrong?
> what are you suggesting to do with the users? I believe that there is
> not need to have
> all users authoirized but only two for example only these who i have
> in kerberos
> ldapmaste and kadmin/admin! am i right? Take a look to my slapd.conf!
> My problem, is that i  want to do sasl bind with password and not
> only with dn because now i do sasl bind only with one of the
> authorized dn!

Did you create a ldap service and host principal? If so, just use the
GSSAPI mechanism, something like 'ldapsearch -Y GSSAPI -H
ldap://some.host' and you may write an appropriate authz-regexp in oder
to match the sasl authentication string to a DN.


Dieter Klünter | Systemberatung