[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Openldap simple bind
Hello
On Wed, Mar 09, 2005 at 11:36:02AM -0500, Jonathan Higgins wrote:
> couple of things..
>
> the --with-kerberos and --enable-kpasswd are not necessary..
>
> the {KERBEROS}principal is not needed..
ok, I'll remove this flags
>
> for sasl you need to run the saslauthd daemon and saslauthd needs to know about slapd.. in /usr/local/lib/sasl2 you need a slapd.conf file that contains:
> pwcheck_method: saslauthd
> saslauthd_path: /usr/local/sbin/mux
I've configured /usr/local/lib/sasl2/slapd.conf like you told,
but it still doesn't work.
/usr/local/lib/sasl2/slapd.conf:
pwcheck_method:saslauthd
saslauthd_path:/var/state/saslauthd
# saslauthd_path:/var/state/saslauthd/mux
keytab:/etc/ldap.keytab
>
> there are some other pieces out there that can help you with heimdal+openldap. check the contrib section under sources on the openldap.org site.
I'll try the pw-kerberos too.
Thanks for your help and tips.
Aguinaldo
[...]
>
> good luck.
>
>
>
>
> Jonathan Higgins
> IT R&D Project Manager
> Kennesaw State University
> jhiggins@kennesaw.edu
>
>
> >>> Marcos Aguinaldo Forquesato <guina@ccuec.unicamp.br> 3/9/2005 9:04:09 AM >>>
>
> Hello
>
> I've been working on Central Authentication Server
> with SASL/GSSAPI and OpenLDAP simple bind authentication using
> kerberos key server.
> The SASL/GSSAPI authentication is working. However, I've defined
> userPassword as {SASL}principal@REALM ( and {KERBEROS}principal@REALM )
> for simple bind and the test doesn't work.
> By saslauthd debug, the OpenLDAP doesn't call the
> saslauthd/kerberos... :-/
>
> I had changed userPassword to "teste123" and it worked perfectly.
>
> I'm using FreeBSD 5.3 with OpenLDAP 2.2.23, Heimdal
> 0.6.3 ( with openldap backend) and cyrus-sasl-saslauthd 2.1.20.
>
> I've been working through the docs at
> http://www.opentechnet.com/auth-howto/
> http://www.bayour.com/LDAPv3-HOWTO.html
> and
> http://www.openldap.org/lists/openldap-software/200308/msg00158.html
> http://www.openldap.org/lists/openldap-software/200502/msg00470.html
>
> Do you have any clues?
>
> Thanks in advance for any help!
>
> Aguinaldo
>
>
> ---------------
>
> # ldapwhoami -Y EXTERNAL -H ldapi:///
> SASL/EXTERNAL authentication started
> SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn:cn=ldapadmin@unicamp.br,ou=kerberos,dc=unicamp,dc=br
>
> %ldapwhoami
> SASL/GSSAPI authentication started
> SASL username: chico@UNICAMP.BR
> SASL SSF: 56
> SASL installing layers
> dn:cn=chico silva,ou=kerberos,dc=unicamp,dc=br
>
> %ldapsearch -ZZ -H ldap:// -b "" -s base -LLL supportedSASLMechanisms
> %SASL/GSSAPI authentication started
> SASL username: chico@UNICAMP.BR
> SASL SSF: 56
> SASL installing layers
> dn:
> supportedSASLMechanisms: NTLM
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: PLAIN
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
>
> %/usr/local/sbin/testsaslauthd -u chico -p teste123 -r UNICAMP.BR -s
> %ldap -f /var/state/saslauthd/mux
> 0: OK "Success."
>
> OpenLDAP - config:
> /usr/ports/net/openldap23-sasl-server/work/openldap-2.2.23
> # ./configure --with-threads=posix --with-tls=openssl --with-kerberos
> # --enable-kpasswd --enable-dynamic --with-cyrus-sasl
> # --localstatedir=/var/db --enable-ldbm=yes --enable-crypt
> # --enable-lmpasswd --enable-ldap=yes --enable-meta=yes --enable-rewrite
> # --enable-null=yes --enable-monitor=yes --enable-bdb=yes
> # --enable-hdb=yes --with-ldbm-api=berkeley --enable-spasswd
> # --enable-wrappers --prefix=/usr/local --build=i386-portbld-freebsd5.3
>
> --
> Marcos Aguinaldo Forquesato email:guina at ccuec.unicamp.br
> Centro de Computação HP:http://www.ccuec.unicamp.br/
> Universidade Estadual de Campinas (UNICAMP)
>
>
>