[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Openldap simple bind



couple of things..
 
the --with-kerberos and --enable-kpasswd are not necessary..

the {KERBEROS}principal is not needed..
 
for sasl you need to run the saslauthd daemon and saslauthd needs to know about slapd.. in /usr/local/lib/sasl2 you need a slapd.conf file that contains:
pwcheck_method: saslauthd
saslauthd_path: /usr/local/sbin/mux
 
there are some other pieces out there that can help you with heimdal+openldap.  check the contrib section under sources on the openldap.org site.
 
good luck.
 
 
 
 
Jonathan Higgins
IT R&D Project Manager
Kennesaw State University
jhiggins@kennesaw.edu

>>> Marcos Aguinaldo Forquesato <guina@ccuec.unicamp.br> 3/9/2005 9:04:09 AM >>>
    Hello 

    I've been working on Central Authentication Server
with SASL/GSSAPI and OpenLDAP simple bind authentication using
kerberos key server.
    The SASL/GSSAPI authentication is working. However, I've defined
userPassword as {SASL}principal@REALM ( and {KERBEROS}principal@REALM )
for simple bind and the test doesn't work.
    By saslauthd debug, the OpenLDAP doesn't call the
saslauthd/kerberos... :-/

    I had changed  userPassword to "teste123" and it worked perfectly.

        I'm using FreeBSD 5.3 with OpenLDAP 2.2.23, Heimdal
0.6.3 ( with openldap backend) and cyrus-sasl-saslauthd 2.1.20.

    I've been working through the docs at
http://www.opentechnet.com/auth-howto/
http://www.bayour.com/LDAPv3-HOWTO.html
    and
http://www.openldap.org/lists/openldap-software/200308/msg00158.html
http://www.openldap.org/lists/openldap-software/200502/msg00470.html

        Do you have any clues?

        Thanks in advance for any help!

        Aguinaldo


---------------

# ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=ldapadmin@unicamp.br,ou=kerberos,dc=unicamp,dc=br

%ldapwhoami
SASL/GSSAPI authentication started
SASL username: chico@UNICAMP.BR
SASL SSF: 56
SASL installing layers
dn:cn=chico silva,ou=kerberos,dc=unicamp,dc=br

%ldapsearch -ZZ -H ldap:// -b "" -s base -LLL supportedSASLMechanisms
%SASL/GSSAPI authentication started
SASL username: chico@UNICAMP.BR
SASL SSF: 56
SASL installing layers
dn:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

%/usr/local/sbin/testsaslauthd -u chico -p teste123 -r UNICAMP.BR -s
%ldap -f /var/state/saslauthd/mux
0: OK "Success."

OpenLDAP - config:
/usr/ports/net/openldap23-sasl-server/work/openldap-2.2.23
# ./configure  --with-threads=posix --with-tls=openssl --with-kerberos
# --enable-kpasswd --enable-dynamic --with-cyrus-sasl
# --localstatedir=/var/db --enable-ldbm=yes --enable-crypt
# --enable-lmpasswd --enable-ldap=yes --enable-meta=yes --enable-rewrite
# --enable-null=yes --enable-monitor=yes --enable-bdb=yes
# --enable-hdb=yes --with-ldbm-api=berkeley --enable-spasswd
# --enable-wrappers --prefix=/usr/local --build=i386-portbld-freebsd5.3

--
Marcos Aguinaldo Forquesato             email:guina at ccuec.unicamp.br
Centro de Computação                    HP:http://www.ccuec.unicamp.br/
Universidade Estadual de Campinas (UNICAMP)