Chastity Blackwell wrote:
On Thu, 2012-01-26 at 17:38 -0500, Howard Chu wrote:
Raffael Sahli wrote:
No, authz-regexp is to map a sasl dn to a real user account in your ldap
directory.
But your user is c...@test.com with a realm named test.com, your
userPassword should be {SASL}chas@KRBTEST
What the heck are you talking about? If the username is c...@test.com then
that is what goes in the password:
userpassword: {SASL}c...@test.com
If the realm is actually KRBTEST then the username should be chas@KRBTEST.
and also exists as a principal on your kerberos db ;)
Okay, I'm a little confused here now.
Clearly.
So here's what I have in
krb5.conf:
Does kinit work for your chas@KRBTEST user? Judging from what you've pasted
here, I don't think it should. Get your basic Kerberos installation working
first. Take things one step at a time.
[libdefaults]
default_realm = KRBTEST
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
AKTEST = {
kdc = ldapsandbox.test.com:88
admin_server = ldapsandbox.test.com:749
default_domain = test.com
}
[domain_realm]
.agkn.net = KRBTEST
agkn.net = KRBTEST
And when I look at my principals in Kerberos, this is what I have:
kadmin: listprincs
K/M@KRBTEST
chas/admin@KRBTEST
chas@KRBTEST
host/ldapsandbox.test.com@KRBTEST
kadmin/admin@AKTEST
kadmin/changepw@AKTEST
kadmin/history@AKTEST
kadmin/ldapsandbox.test.com@KRBTEST
krbtgt/KRBTEST@KRBTEST
ldap/ldapsandbox.test.com@KRBTEST
root/admin@KRBTEST
So what should the userPassword attribute be set to? I assumed it should
be {SASL}chas@KRBTEST -- is that correct? I just want to make sure I'm
on the right track there.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/