On Wed, Feb 02, 2011 at 10:49:55PM +0100, John Espiro wrote:
> Ubuntu 10.10 server 64bit
...
> Entering:
> ldapmodify -x -D 'cn=config' -W -f log.ldif
>
> Gives me:
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
Run ldapmodify on the same box as the server, as root. Poin
On Tue, Feb 01, 2011 at 10:23:21AM -0600, Dan White wrote:
> >You should bear in mind that ultimately you're going to have some sort of
> >"password" stored in a file somewhere on the client machine - whether it be
> >a Kerberos keytab, or the private key for a TLS certificate, or something
> >else
On Mon, Jan 31, 2011 at 04:04:15PM -0600, Joe Comeaux wrote:
> > Will there be client software which performs the LDAP authentication
> > directly to the LDAP server?
> > Can you support SASL binds in your environment?
>
> I was under the impression that most all the software would be
> attempt
On Fri, Jan 21, 2011 at 04:52:09PM +0100, Thomas Schweikle wrote:
> > I found the same (that DIGEST-MD5 was being preferred over GSSAPI). You can
> > fix it by disabling DIGEST-MD5.
> >
> > Under Ubuntu, I did this by
> >
> > # vi /etc/ldap/sasl2/slapd.conf
> > mech_list: gssapi external
On Thu, Jan 20, 2011 at 08:04:00PM +0100, Thomas Schweikle wrote:
> The group I want to add:
>
> dn: cn=somegroup,ou=Groups,dc=example,dc=org
> objectClass: posixGroups
> objectClass: top
> gidNumer: 3000
> cn: somegroup
> memberUid: someuser
Are you sure you mean posixGroups, not posixGroup ?
An
On Fri, Jan 21, 2011 at 11:45:53AM +0100, Thomas Schweikle wrote:
> client:~$ ldapsearch -H ldap://srv.example.com
> SASL/DIGEST-MD5 authentication started
Try adding -Y GSSAPI to ldapsearch command line.
I found the same (that DIGEST-MD5 was being preferred over GSSAPI). You can
fix it by disabl
On Fri, Jan 07, 2011 at 09:22:01PM +0530, sarathkrishn...@gmail.com wrote:
>For authenticating via OpenLDAP, the principles needs to be rewritten
>(using authz-policy and authz-regexp). We know how to do
>that in older version of OpenLDAP which had (slapd.conf) but don't know
>how t
On Tue, Jan 04, 2011 at 05:44:25PM +0200, E.S. Rosenberg wrote:
>How do I get to see the contents of cn=config?
>Things I have tried:
>ldapsearch -b cn=config -D cn=admin,dc=mydomain -W
>ldapsearch -x cn=config
>ldapsearch -D cn=admin,dc=mydomain -W cn=config
>Some help/poi
On Thu, Dec 30, 2010 at 11:49:23AM -0800, Russ Allbery wrote:
> > Have you got the one-line patch?
>
> Included below.
Thank you Russ.
Discussed further on kerbe...@mit.edu list, and ticket raised as
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3380
Regards,
Brian.
On Wed, Dec 29, 2010 at 05:40:05PM +, Brian Candler wrote:
> However I've done some testing, and the interaction between the krb5 default
> realm, the olcSaslRealm and the actual realm of the request appears to be
> rather bizarre.
I found a hint here:
http://www.cyrusimap.org/d
On Wed, Dec 29, 2010 at 10:21:28AM -0800, Russ Allbery wrote:
> > My understanding is that modern kerberos apps should just try all keys in
> > the keytab until they find one which decrypts the ticket.
> > http://mailman.mit.edu/pipermail/kerberos/2010-December/016797.html
>
> Cyrus SASL doesn't.
On Tue, Dec 28, 2010 at 02:28:40PM -0800, Howard Chu wrote:
> >(1) According to the documentation at
> >http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
> >then the authentication DN should be
> >uid=,cn=,cn=gssapi,cn=auth
> >
> >However, running slapd in debug mode I see the cn= is missing.
>
On Tue, Dec 28, 2010 at 02:31:44PM -0800, Howard Chu wrote:
> ># ldapsearch -s base -b "cn=config" -Y EXTERNAL -H ldapi:///
> >SASL/EXTERNAL authentication started
> >ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
> > additional info: SASL(-15): mechanism too weak for this user
On Wed, Dec 29, 2010 at 07:57:43AM +0100, Dieter Kluenter wrote:
> The default ssf of ldapi is 71, but you may change localSSF in
> slapd.conf(5).
> [...]
Thank you, that is very clear.
Having changed that, I can use EXTERNAL with minssf=112, but not GSSAPI. I
find that if I set minssf=56 it's f
On Tue, Dec 28, 2010 at 09:26:56AM +, Brian Candler wrote:
> (1) According to the documentation at
> http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
> then the authentication DN should be
> uid=,cn=,cn=gssapi,cn=auth
>
> However, running slapd in debug mode I see the cn
Supplementary question: I tried to set minssf so as to require encryption,
like this:
# ldapmodify -Y EXTERNAL -H ldapi:/// <
Hello,
I'm setting up an openldap server for Kerberos (GSSAPI) authentication only.
I'm using slapd-2.4.21 from Ubuntu 10.04.1.
It's basically working, and I had to do very little other than change
export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.
However, there are a coup
17 matches
Mail list logo
