* Bennett, Silas (GE Infrastructure) <[EMAIL PROTECTED]> [050921 22:26]:
> rootdn "cn=ldapadmin,dc=qm"
> rootpw {KERBEROS} [EMAIL PROTECTED]
You don't have tp setup a rootpw Statement with SASL. Providing a
rootdn-Statement is sufficient. With SASL Authentification is handled by
the sasl-Layer. The {KERBEROS}-PasswordSchema is obsolete.
>
> SASL is set up to use GSSAPI correctly, since the following password also
> works:
>
> rootpw {SASL} ldapadmin
That itself is not a hint, that SASL is working. It seems, you are
mixing to things up: LDAPv3 provides an authentification via SASL, that
is Authentification can be handled by a lot of means. The LDAP-Server
sees only the result of the authentification (strong bind). Then there
is a way to provide a compatibility with simple binds: the LDAP-Server
pipes the given password to an external programm, and requests, if the
password and the useridenty in the userPassword-Attribute matches.
For strong binds to work, you must provide a "sasl-regexp" statement in
your slapd.conf file. That provides a rule to match your SASL-DN's to
LDAP-DN's. Because you are using GSSAPI, it would be something like
sasl-regexp uid=(.*),cn=<REALM>,cn=gssapi,cn=auth uid=$1,<dn_of_usertree>
You can check with the "ldapwhoami"-Command, if the SASL-Matching works
as expected.
For your ACLs you should than use the dns of your user-entrys in the
LDAP-Tree.
--
Max-Born-Institut (MBI)/Max-Born-Straße 2A/12489 Berlin/Karsten Gorling
Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309
E-Mail: [EMAIL PROTECTED] or [EMAIL PROTECTED]
Instantmessenger: Jabber: [EMAIL PROTECTED] or ICQ: 95492828
PGP-Fingerprint: 4BEF 23EA 02AE BACA 9918 31FF 285B 0426 0E1A B2FC
----------------- > encrypted E-Mail preferred <------------------------
