Hello,
I recently added Kerberos authentication to my LDAP server, and I am trying to
connect the other servers to it.I have a server running Davical shared
calendar, and I hope to get it working with my LDAP server again after Kerberos
integration.
Here is my configuration which was working before the integration and my source
is "http://wiki.davical.org/w/Configuration/LDAP#Kerberos_Authentication";
$c->authenticate_hook['config'] = array( 'host' =>
'ldap.domain.com', //host name of your LDAP Server 'port' => '389',
//port// 'bindDN' => 'cn=admin,dc=domain,dc=com', //DN to bind
request to this server (if required)// 'passDN' => 'password',
//Password of request bind 'baseDNUsers' => 'ou=People,dc=domain,dc=com',
//where to look for valid user 'filterUsers' => 'objectClass=*', //filter
which must validate a user according to RFC4515, i.e. surrounded by brackets
'protocolVersion' => 3, // important for simple auth (no sasl)// 'startTLS'
=> true, // securing your LDAP connection 'i_use_mode_kerberos' =>
"i_know_what_i_am_doing",
My slapd error logs:Jan 31 23:40:00 ldap slapd[1059]: conn=1273 fd=43 ACCEPT
from IP=203.28.247.193:56887 (IP=0.0.0.0:389)Jan 31 23:40:00 ldap slapd[1059]:
conn=1273 op=0 BIND dn="" method=128Jan 31 23:40:00 ldap slapd[1059]: conn=1273
op=0 RESULT tag=97 err=0 text=Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1
SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0
filter="(objectClass=*)"Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH
attr=uid modifyTimestamp cn mailJan 31 23:40:00 ldap slapd[1059]: conn=1273
op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=Jan 31 23:40:00 ldap
slapd[1059]: conn=1273 op=2 UNBIND
My OLC configuration:root@ldap:/var/log# ldapsearch -LLLQY EXTERNAL -H
ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"dn:
cn=configobjectClass: olcGlobalcn: configolcArgsFile:
/var/run/slapd/slapd.argsolcAuthzRegexp:
{0}uid=([^,]+),cn=domain.com,cn=gssapi,cn=auth uid=$1
,ou=people,dc=domain,dc=comolcLogLevel: statsolcPidFile:
/var/run/slapd/slapd.pidolcSaslRealm: DOMAIN.COMolcToolThreads: 1
dn: olcDatabase={1}hdb,cn=configobjectClass: olcDatabaseConfigobjectClass:
olcHdbConfigolcDatabase: {1}hdbolcDbDirectory: /var/lib/ldapolcSuffix:
dc=domain,dc=comolcAccess: {0}to attrs=userPassword,shadowLastChange by
anonymous auth by * no neolcAccess: {1}to dn.subtree="ou=krb5,dc=domain,dc=com"
by dn="c n=adm-srv,ou=krb5,domain,dc=com" write by dn="cn=kdc-srv,ou
=krb5,domain,dc=com" read by * noneolcAccess: {2}to attrs=loginShell,gecos by
self write by users read by * noneolcAccess: {3}to dn.base="" by *
readolcAccess: {4}to * by users read by * noneolcLastMod: TRUEolcRootDN:
uid=admin,ou=people,domain,dc=com
Any suggestion to fix the binding and get my search working again with kerberos
authentication ?
Thanks.
