I forgot to mention another problem that occurred today
when i try to do
ldapsearch -X "dn: cn=spiros,ou=Managers,dc=teipir,dc=gr" -b
"ou=Managers,dc=teipir,dc=gr" -w 1234
i get
2010-03-22T13:30:17 Failed to open database: Wrong database version
2010-03-22T13:30:17 UNKNOWN -- host/proof.teipir...@teipir.gr: No such entry
in the database
2010/3/22 Μανόλης Βλαχάκης <manolisv...@yahoo.gr>
> Hallo there and thank you for your answer
> i finally made it and moved on but now i face other problem.
> My configs look like...
> kerberos attributes on the ldap php side are:
> **krb5KDCFlags*
> **krb5KeyVersionNumber*
> **krb5MaxLife*
> **krb5MaxRenew*
> **krb5PrincipalName*
> *
> *
> *
> objectClass
> *krb5Principal
> *krb5KDCEntry
> *
>
>
>
> sasl configs:
> *
> *
> *log_level: -1*
> *pwcheck_method:auxprop saslauthd*
> *mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
> *auxprop_plugin: ldapdb*
> *ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
> *ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
> *ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
> *ldapdb_mech: GSSAPI EXTERNAL*
> *ldapdb_starttls: try*
>
>
> My access list is :
> *access to * by * write*
>
> but i also set up as i saw on the sasl-regexp config the mapping below
> *sasl-regexp*
> * uid=(.+),cn=(.+),cn=.+,cn=auth*
> * ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn...@$2))*
> *sasl-regexp*
> * uid=(.+),cn=.+,cn=auth*
> * ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$
> 1...@teipir.gr))*
> *sasl-regexp*
> * uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
> * cn=ldapmas...@teipir.gr,ou=kerberos,dc=teipir,dc=gr*
>
> +
> *i have an idea of making work like the one below so as to give access to
> all of the users registered*
> *requiring them a password is that correct:*
> *
> *
> *# This is needed so sasl-regexp/GSSAPI works correctly*
> *access to attrs=krb5PrincipalName*
> * by anonymous auth*
> *
> *
> *# Kerberos attributes may only be accessible to root/ldapmaster*
> *access to
> attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
> *
> * by * none*
> *
> *
> *# We will be using userPassword to provide simple BIND access, so we
> don't want this to be user editable*
> *access to attrs=userPassword*
> * by anonymous auth*
> * *
> *
> *
> *# Anything else we may have forgotten is writable by admin, and viewable
> by authenticated users*
> *access to dn.subtree="dc=teipir,dc=gr"*
> * by users read*
>
>
> when i do like :
> *ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
>
> and although i set up to require a password (on the sasl config )
>
> and i get something like that:
>
> *SASL/GSSAPI authentication started*
> *ldap_sasl_interactive_bind_s: Insufficient access (50)*
> * additional info: SASL(-14): authorization failure: not authorized
> *
> *
> *
> or when i use any other command client side i have full access to the tree
> with no password required
>
>
>
>
>
>
> 2010/3/19 Dan White <dwh...@olp.net>
>
> On 19/03/10 12:39 +0200, Μανόλης Βλαχάκης wrote:
>>
>>> Hallo there everyone
>>>
>>> i hope you can help me with my issue cause it really bothers me for a
>>> week
>>>
>>> i set up an ldap on gentoo and after modifying heimdal kerberos and tls
>>> i am stuck to that point:
>>> i get these errors...
>>>
>>> additional info: SASL(-13): authentication failure: GSSAPI Failure:
>>> gss_accept_sec_context
>>>
>>> +
>>>
>>> AS-REQ host/proof.teipir...@teipir.gr <http://teipir.gr/> from
>>>
>>> IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
>>> <http://teipir.gr/>@TEIPIR.GR<http://teipir.gr/>
>>>
>>> 2010-03-18T16:32:58 Client sent patypes: none
>>> 2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@
>>> TEIPIR.GR <http://teipir.gr/>
>>>
>>> 2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/
>>> proof.teipir...@teipir.gr <http://teipir.gr/>
>>>
>>> 2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12
>>>
>>
>> Is there one host involved or two, and do they both have valid credential
>> caches (klist)?
>>
>> Does your openldap user have access to /etc/krb5.keytab? What does your
>> cyrus sasl config look like (if it exists)?
>>
>> Assuming you're using an ldapsearch command from the client, what options
>> are you passing?
>>
>> Do you have any custom SASL config items in your openldap config
>> (sasl-host, sasl-realm or sasl-secprops)?
>>
>> --
>> Dan White
>>
>
>
>
> --
> Manolis Vlachakis
>
> Nelly's Family Hotel
> Visit : www.nellys-hotel.gr
> www.nellys.gr
> Skype : manolis.vlachakis
>
--
Manolis Vlachakis
Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis
