>
> Made what?
>
i solved the SQL error showing on the log...i deleted the libs..
>
>
> A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have
> a
> Kerberos TGT, or valid service tickets. Please show the output of 'klist'
>
*klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ldapmas...@teipir.gr
Issued Expires Principal
Mar 23 17:35:52 Mar 24 03:35:52 krbtgt/teipir...@teipir.gr
Mar 23 17:36:20 Mar 24 03:35:52 ldap/proof.teipir...@teipir.gr
> Which problem are we trying to solve? The GSSAPI bind, or the access lists?
> If
> you want GSSAPI bind, maybe you should concentrate on it first, as your
> access
> lists may be different for the case where you have GSSAPI working vs not.
>
the problems i face today are
1)when i try to search
the authorizes users i created as read at the(
http://www.openinput.com/auth-howto/ar01s06.html#d0e781 which followed in
every step i did)i get no message asking a password and continues at ones
the search
+
a general question ..
my project is retrieving data form an ldap tree through a PHP application
with the most secure way possible
should i only authorize the admins or all the sub entries of a "leaf" on our
ldap tree(user names,pass...e.t.c. of the users )
P.S.:i attach you my slap.conf so as to get the full idea of my settings,(i
gan paste you my sasl configs too)
Thank you very much!!
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/misc.schema
#include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/krb5-kdc.schema
loglevel -1
# Misc options
# Maximum number of entries to return from a search operation. Useful
# to prevent trolling of directory by spammers, etc.
sizelimit 20
# Maximum size of the primary thread pool.
threads 8
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
sizelimit 20
# Maximum size of the primary thread pool.
threads 8
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/openldap
# moduleload back_shell.so
# moduleload back_relay.so
# moduleload back_perl.so
moduleload back_passwd.so
# moduleload back_null.so
# moduleload back_monitor.so
# moduleload back_meta.so
moduleload back_hdb.so
# moduleload back_dnssrv.so
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
#Mapping of SASL authentication identities to LDAP entries
sasl-regexp
uid=(.*),cn=(.*),cn=.*,cn=auth
ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn...@$2))
sasl-regexp
uid=(.*),cn=.*,cn=auth
ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5principalname...@teipir.gr))
sasl-regexp
uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth
cn=ldapmas...@teipir.gr,ou=kerberos,dc=teipir,dc=gr
# This is needed so sasl-regexp/GSSAPI works correctly
#access to attrs=krb5PrincipalName
# by anonymous auth
# Kerberos attributes may only be accessible to root/ldapmaster
#access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb$
# by * none
# We will be using userPassword to provide simple BIND access, so we don't want
this to be user editable
#access to attrs=userPassword
#access to *
# by dn="c...@nspi,dc=teipir,dc=gr" write
# by dn="cn=Vlachakis Emmanouil,ou=Managers,dc=teipir,dc=gr" write
# by dn="cn=Oikonomakis Spyridwn,ou=Managers,dc=teipir,dc=gr" write
# by users read
# by * write
# by * auth
access to * by * write
# CA signed certificate and server cert entries:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/openldap/ssl/voikocrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/voikokey.pem
# Use the following if client authentication is required
TLSVerifyClient try
# ... or not desired at all
#TLSVerifyClient never
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# BDB database definitions
#######################################################################
database hdb
suffix dc=teipir,dc=gr
# <kbyte> <min>
checkpoint 32 30
rootdn c...@nspi,dc=teipir,dc=gr
#rootdn "cn=ldapmas...@teipir.gr,ou=kerberos,dc=teipir,dc=gr"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 rec
directory /var/lib/openldap-data
# Indices to maintain
#index objectClass eq
#index cn,sn,uid pres,eq,approx,sub
#index objectClass eq
index default eq,pres
directory /var/lib/openldap-data
# Indices to maintain
#index objectClass eq
#index cn,sn,uid pres,eq,approx,sub
#index objectClass eq
index default eq,pres
index objectClass eq
index cn,sn,givenname,mail eq,pres,sub
index uid,uidNumber,gidNumber
index memberUid
index krb5PrincipalName,krb5PrincipalRealm
security simple_bind=64
