Okay, it's Friday and I'm brain-dead. I have openLDAP+SASL+Kerberos up,
configured and running with all passwords stored in our kerberos
database. I can run queries via simple/anonymous binds,
simple/anonymous binds overSSL/TLS, kerberos tickets, and kerberos
tickets with SSL/TLS. Where I'm running into problems is a simple user
bind.
See the following:
ldapsearch -x -D "uid=dumbUser,ou=People,dc=example,dc=com" -W -b "" -s
base -LLL -H ldaps://server.example.com/ supportedSASLMechanisms
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
A user LDAP record looks like this:
dn: uid=dumbUser,ou=People,dc=example,dc=com
userPassword: [EMAIL PROTECTED]
You may ask "Why would I want to do this?" Well, I have a few clients
that can't do SASL binds.
Any ideas where to look?
--
Karen R. McArthur <[EMAIL PROTECTED]>
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240
ph:(207) 786-8236 fax:(207) 786-6057
########################################
#from slapd.conf
#SASL configuration
sasl-realm KRB.EXAMPLE.COM
sasl-host server.example.com
sasl-secprops noanonymous
sasl-regexp
uid=(.*),cn=krb.example.com,cn=gssapi,cn=auth
uid=$1,ou=People,dc=example,dc=com
sasl-regexp
cn=(.*),cn=krb.example.com,cn=gssapi,cn=auth
uid=$1,ou=People,dc=example,dc=com
sasl-regexp
uid=(.*),cn=example.com,cn=kerberos_v4,cn=auth
ldap:///ou=People,dc=example,dc=com??sub?(uid=$1)
access to attr=userPassword
by anonymous auth
by by dn="cn=Manager,dc=example,dc=com" write
by dn="uid=ldapadm.+\+(realm=ILS\.EXAMPLE\.COM)" write
by * none
