[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP / SASL / Heimdal



Andreas Haupt wrote:

>Am Montag, 7. Juni 2004 14:29 schrieb sam:
>  
>
>>Andreas Haupt wrote:
>>    
>>
>>>blh@dice:~> ldapsearch -x -H ldap://dice.hmi.de/  -b "" -s base -LLL
>>>supportedSASLMechanisms
>>>dn:
>>>supportedSASLMechanisms: GSSAPI
>>>
>>>blh@dice:~> ldapwhoami -H ldap://dice.hmi.de/ -D
>>>"cn=dice,dc=hmi,dc=de" -Y GSSAPI
>>>SASL/GSSAPI authentication started
>>>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>       additional info: SASL(-13): authentication failure: GSSAPI
>>>Failure: gss_accept_sec_context
>>>blh@dice:~> klist
>>>Credentials cache: FILE:/tmp/krb5cc_10296
>>>       Principal: blh@HMI.DE
>>>
>>> Issued           Expires          Principal
>>>Jun  7 13:07:21  Jun  8 14:07:21  krbtgt/HMI.DE@HMI.DE
>>>Jun  7 13:32:38  Jun  8 14:07:21  ldap/dice.hmi.de@HMI.DE
>>>blh@dice:~>
>>>
>>>So I got a ticket. The rest is hopefully not complicated...
>>>
>>>Greetings
>>>Andreas
>>>      
>>>
>>Can you test whether uesr blh can login to blh itself first? like this:
>>blh$ telnet -ax -l blh dice.hmi.de
>>    
>>
>
>Yes, GSSAPI already works fine together with OpenSSH 3.8p1.
>
>  
>
>>==== cut this to your file as rootdn.ldif ==========
>>dn: dc=dice,dc=hmi,dc=de
>>objectClass: dcObject
>>objectClass: organization
>>dc: dice
>>o: My Play Ground
>>description: My Play Ground  LDAP Database
>>
>># Administrative user for SoM Ldap database
>>dn: cn=root,dc=dice,dc=hmi,dc=de
>>objectClass: organizationalRole
>>cn: root
>>description: SuperUser for Ldap Services
>>============end if rootdn.ldif==================
>>    
>>
>
>I only have:
>
>dn: dc=hmi,dc=de
>dc: hmi
>objectClass: top
>objectClass: dcObject
>objectClass: organization
>o: Hahn-Meitner-Institut
>description: Hahn-Meitner-Institut
>
># Administrative user for SoM Ldap database
>dn: cn=Manager,dc=hmi,dc=de
>objectClass: organizationalRole
>cn: Manager
>description: SuperUser for Ldap Services
>
>  
>
I suggest you add one more dn to indicate dice is the kerberos server.

>Do I need root?
>
>  
>
no, Manager should be fine, just make sure it is oneof the super user. 
You need that for doing administration task. Have you added uesr Manager 
to krb5.keytab database.

Please verify your ldap.conf file has the following entries:

host dice.hmi.de
base dc=hmi,dc=de
uri ldap://dice.hmi.de
ssl start_tls    
tls_checkpeer yes
tls_cacertfile /opt/secure/myCA/certs/cacert.pem

In your slapd.conf file, make sure there are entires like this:
# -----------sample-------------------
TLSCACertificateFile    /opt/secure/myCA/cacert.pem
TLSCACertificatePath    /opt/secure/myCA/certs
TLSCertificateFile      /opt/secure/myCA/certs/ldap/ldapsignedreq.pem
TLSCertificateKeyFile   /opt/secure/myCA/certs/ldap/ldapkey.pem
TLSVerifyClient allow
TLSRandFile             /dev/urandom
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database        bdb
suffix          "dc=hmi,dc=de"
#sasl-realm      XYZ.COM  
#sasl-host       fbsd.xyz.com
#sasl-realm     XYZ.COM
sasl-regexp
        uid=Manager,cn=dice.hmi.de,cn=gssapi,cn=auth
        uid=Manager,dc=dice,dc=hmi,dc=de
directory       /var/db/openldap-data
loglevel        256

sam