On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:
r...@filesystem:~# kinit diego.lima
Password for diego.l...@users:
r...@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.l...@users
Valid starting Expires Service principal
06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/us...@users
renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
r...@filesystem:~# testsaslauthd -u diego.l...@users -p 123456
0: OK "Success."
The userPassword value translates to {sasl}diego.l...@users
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D
krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
When doing a SASL bind, you should specify the same username that you are
authentication with, for saslauthd. Use a '-U diego.l...@users' instead of
a -D option:
ldapwhoami -U diego.l...@users
I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.
By default, the cyrus sasl library will not use saslauthd. You'll need to
create a /usr/lib/sasl2/slapd.conf file with:
pwcheck_method: saslauthd
--
Dan White
