Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...
kerberos attributes on the ldap php side are:
**krb5KDCFlags*
**krb5KeyVersionNumber*
**krb5MaxLife*
**krb5MaxRenew*
**krb5PrincipalName*
*
*
*
objectClass
*krb5Principal
*krb5KDCEntry
*
sasl configs:
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*
My access list is :
*access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
* uid=(.+),cn=(.+),cn=.+,cn=auth*
* ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn...@$2))*
*sasl-regexp*
* uid=(.+),cn=.+,cn=auth*
* ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5principalname...@teipir.gr
))*
*sasl-regexp*
* uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
* cn=ldapmas...@teipir.gr,ou=kerberos,dc=teipir,dc=gr*
+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
* by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
* by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable*
*access to attrs=userPassword*
* by anonymous auth*
* *
*
*
*# Anything else we may have forgotten is writable by admin, and viewable by
authenticated users*
*access to dn.subtree="dc=teipir,dc=gr"*
* by users read*
when i do like :
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
and i get something like that:
*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
* additional info: SASL(-14): authorization failure: not authorized*
*
*
or when i use any other command client side i have full access to the tree
with no password required
2010/3/19 Dan White <dwh...@olp.net>
> On 19/03/10 12:39 +0200, Μανόλης Βλαχάκης wrote:
>
>> Hallo there everyone
>>
>> i hope you can help me with my issue cause it really bothers me for a week
>>
>> i set up an ldap on gentoo and after modifying heimdal kerberos and tls
>> i am stuck to that point:
>> i get these errors...
>>
>> additional info: SASL(-13): authentication failure: GSSAPI Failure:
>> gss_accept_sec_context
>>
>> +
>>
>> AS-REQ host/proof.teipir...@teipir.gr <http://teipir.gr/> from
>>
>> IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
>> <http://teipir.gr/>@TEIPIR.GR<http://teipir.gr/>
>>
>> 2010-03-18T16:32:58 Client sent patypes: none
>> 2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@
>> TEIPIR.GR <http://teipir.gr/>
>>
>> 2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/
>> proof.teipir...@teipir.gr <http://teipir.gr/>
>>
>> 2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12
>>
>
> Is there one host involved or two, and do they both have valid credential
> caches (klist)?
>
> Does your openldap user have access to /etc/krb5.keytab? What does your
> cyrus sasl config look like (if it exists)?
>
> Assuming you're using an ldapsearch command from the client, what options
> are you passing?
>
> Do you have any custom SASL config items in your openldap config
> (sasl-host, sasl-realm or sasl-secprops)?
>
> --
> Dan White
>
--
Manolis Vlachakis
Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis
