[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberized LDAP not accessible



Am Fri, 21 Jan 2011 11:45:53 +0100
schrieb Thomas Schweikle <tps@vr-web.de>:

> Hi!
> 
> I kerberized ldap:
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth
> uid=$1,ou=Users,dc=example,dc=com
> olcSaslHost: srv.example.com
> olcSaslRealm: EXAMPLE.COM
> 
> In /etc/ldap/ldap.conf:
> BASE            dc=example,dc=com
> URI             ldap://srv.example.com
> SASL_MECH       GSSAPI
> 
> In /etc/ldap.conf
> base dc=example,dc=com
> uri ldap://srv.example.com
> ldap_version 3
> rootbinddn cn=adm,dc=example,dc=com
> pam_password md5

This is not an OPenLDAP configuration file.

> I now try to connect to my ldap server:
> 
> client:~$ ldapsearch -H ldap://srv.example.com
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): user not found: no secret in
> database

It seems that slapd doesn't have knowledge of sasl mechanism GSSAPI,
check with
ldapsearch -x -LLL -H ldap://srv.example.com -b "" -s base \
suportedSASLmechanisms

> client:~$ ldapsearch -D uid=user,dc=example,dc=com -H
> ldap://srv.example.com
> ldap_bind: Server is unwilling to perform (53)
>         additional info: unauthenticated bind (DN with no password)
> disallowed

You want to do a sasl bind with GSSAPI mechanism

ldapsearch -Y GSSAPI -H ldap://srv.example.com

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E