[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl authentication via GSSAPI/SASL/Kerberos

To: Steven Presser <steve@pressers.name>, openldap-technical@openldap.org
Subject: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Tue, 30 Sep 2014 10:59:03 -0700
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.9.2 edge02.zimbra.com D38DCA6258
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1412099946; bh=FenP7eQGsEBtfsLu1qmDHGxcC/sCpBQx1/KwJW0dE0s=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=RTyHPYGzSfywd0Ok41SKSbSOl/yAMw3c4ikvX0osyj0vceAUV8QOXNfrGeHP1fMya ezXEXCnyCUeWteGsvIOc8FmSSdl9BuiLf0uXgTU99PG0NPJb5aSCJnvzVs4H7RiLVd Pji/zb5jWA4/PDDVQymS25ulr0IYgGCJD5EetFC4=
In-reply-to: <542AE89E.2070401@pressers.name>
References: <542AE4E6.2050402@pressers.name> <867B53CDDEB28C9FA676BC6C@[192.168.1.61]> <542AE89E.2070401@pressers.name>

--On Tuesday, September 30, 2014 2:30 PM -0400 Steven Presser<steve@pressers.name> wrote:

No; That bind DN is used only in simple authentication.  I am maintaining
them as separate accounts, for the time being.  One of my ACLs is:

access to *
         by dn.exact="cn=repl,dc=pressers,dc=name" read
         by dn.exact="uid=ldap/mordor.pressers.name,
cn=pressers.name,cn=gssapi,cn=auth" read
         by * break

Which I think ought to cover the permissions required pretty well. As you
can see, they have identical permissions.

Also, I just noticed an error introduced by copy-paste in my last email.
In both configs there is a floating "i" on the searchbase line.  That "i"
belongs at the end of "GSSAP" on the saslmech line.

Ok, well, without having your full configs available (minus passwords), onecan only make guesses. ;)

I would start with binding as that ID using ldapwhoami, then move on toldapsearch, etc, and verify all of that works as expected.


--Quanah


--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Steven Presser <steve@pressers.name>
- Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Steven Presser <steve@pressers.name>

Prev by Date: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
Next by Date: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
Index(es):
- Chronological
- Thread