[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap using Active Directory Kerberos password



Frank,
When I try to run saslauthd with -a kerberos I get:
saslauthd: saslauthd[1531] :set_auth_mech   : unknown authentication mechanism: 
kerberos

How did you compile cyrus-sasl:
I did:
./configure --with-ldap=/usr/local/lib --with-openssl --enable-login --with-
saslauthd --enable-gssapi --without-des --without-rc4 --disable-krb4

Also do you have a saslRegexp set in your openldap slapd.conf?

Thanks for your help.




Quoting Frank Swasey <Frank.Swasey@uvm.edu>:

> Please do not mail me personally, keep it on the list.
> 
> On Mon, 28 Jun 2004 at 9:17pm, tuliol@sybatech.com wrote:
> 
> > Hi Frank,
> > Thanks for your reply.
> > I changed the userPassword: {SASL}stest75@AD.INST.EDU
> >
> > The saslauthd is running (/usr/local/sbin/saslauthd -a pam) and I have
> > a /usr/lib/sasl2/slapd.conf with the following:
> 
> Does the testsaslauthd program work?  If that doesn't work, nothing else
> will.  I run saslauthd with -a kerberos myself, but if pam is going to
> validate stest75@AD.INST.EDU as a valid userid then I guess that will
> work too.
> 
> > pwcheck_method:saslauthd
> > saslauthd_path:/var/state/saslauthd/mux
> 
> Aside from spacing, that's exactly what my sasl2/slapd.conf file has in
> it.
> 
> > The problem is that when I run a ldapsearch query that binds as the user
> > uid=stest75 and the kerberos password it still gives me:
> > ldap_bind: Invalid credentials (49) Incorrect Password or UserName
> >
> > Do I need to set these in slapd.conf:
> > #sasl-realm
> > #sasl-host
> > #sasl-secprops  none
> 
> I don't use them in mine.
> 
> >
> >
> > Any ideas?
> 
> I am expecting that if you attempt with the testsaslauthd program that
> it will fail too indicating that saslauthd is not successfully
> validating users.
> 
> I use saslauthd -a kerberos, I have a keytab file that has the
> host/<FQDN> key for each of my ldap servers in it (granted, the KDC I'm
> working against is a DCE security server so it's not exactly the same as
> using Active Directory).
> 
> >
> > Thanks again
> >
> > Tulio
> > Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
> >
> > > On Fri, 25 Jun 2004 at 8:18am, tuliol@sybatech.com wrote:
> > >
> > > > I got the OS to successfully used the MS AD kerberos password.
> > > > Then I have the following in slapd.conf:
> > >
> > > Good.
> > >
> > > > userPassword: {KERBEROS}stest75@AD.INST.EDU
> > > >
> > > > Then when I try to do a bind using this account it fails.
> > >
> > > Oops!  You want that to be {SASL}stest75@AD.INST.EDU.  You are having
> > > OpenLDAP use SASL and the saslauthd program will use Kerberos.
> > >
> > > Did you set up the /usr/lib/sasl2/slapd.conf file?  It should have the
> > > "pwcheck_methid: saslauthd" line (possibly a "saslauthd_path:" directive
> > > too)
> > >
> > > Frank
> > >
> > > > Any ideas?
> > > >
> > > > Tulio
> > > >
> > > >
> > > > Quoting tuliol@sybatech.com:
> > > >
> > > > > Frank,
> > > > > Thanks for your reply.  My OS (Redhat AS) currently is using local
> > > accounts
> > > > > and
> > > > > not kerberos.  Is that the first step?  How do I figure out what the
> > > Kerberos
> > > > >
> > > > > realm is for the MS AD?  Do you have instructions on how to
> configure
> > > slapd
> > > > > to
> > > > > use saslauth once the os is ready?
> > > > >
> > > > > Thanks again
> > > > >
> > > > > Quoting Frank Swasey <Frank.Swasey@uvm.edu>:
> > > > >
> > > > > > On Wed, 23 Jun 2004 at 4:21pm, tuliol@sybatech.com wrote:
> > > > > >
> > > > > > > I am trying to use the kerberos password found in Microsoft
> active
> > > > > > > directory as the userPassword for my Openldap directory.  Has
> > > anybody
> > > > > > > been sucessful in setting this up?
> > > > > > >
> > > > > > > Any help would be greatly apprectiated.
> > > > > >
> > > > > > Have you successfully configured your OS to use the MS AD Kerberos
> > > > > > password?  If so, you should be able to configure it the same we
> > > several
> > > > > > of us have to talk to either Heimdal or MIT K5 KDC's (using
> > > > > > {SASL}principal@realm as the userPassword value and configuring
> slapd
> > > to
> > > > > > use saslauthd).
> > > > > >
> > > > > > --
> > > > > > Frank Swasey                    | http://www.uvm.edu/~fcs
> > > > > > Systems Programmer              | Always remember: You are UNIQUE,
> > > > > > University of Vermont           |    just like everyone else.
> > > > > >          === God bless all inhabitants of your planet ===
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > > Frank Swasey                    | http://www.uvm.edu/~fcs
> > > Systems Programmer              | Always remember: You are UNIQUE,
> > > University of Vermont           |    just like everyone else.
> > >         === God bless all inhabitants of your planet ===
> > >
> >
> >
> >
> >
> 
> -- 
> Frank Swasey                    | http://www.uvm.edu/~fcs
> Systems Programmer              | Always remember: You are UNIQUE,
> University of Vermont           |    just like everyone else.
>         === God bless all inhabitants of your planet ===
>