On 22/03/10 12:49 +0200, Μανόλης Βλαχάκης wrote:
Hallo there and thank you for your answer i finally made it and moved on but now i face other problem. My configs look like...
sasl configs:
*log_level: -1* *pwcheck_method:auxprop saslauthd* *mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5* *auxprop_plugin: ldapdb* *ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///* *ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr* *ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY* *ldapdb_mech: GSSAPI EXTERNAL* *ldapdb_starttls: try*
Is this your slapd.conf sasl config? If so, you should be using the internal 'slapd' auxprop plugin rather that ldapdb:
auxprop_plugin: slapd
My access list is : *access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below *sasl-regexp*
- uid=(.+),cn=(.+),cn=.+,cn=auth*
- ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))*
*sasl-regexp*
- uid=(.+),cn=.+,cn=auth*
- ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR
))* *sasl-regexp*
- uidnumber=0\+gidnumber=0,cn=peercred,cn=external,cn=auth*
- cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*
*i have an idea of making work like the one below so as to give access to all of the users registered* *requiring them a password is that correct:*
*# This is needed so sasl-regexp/GSSAPI works correctly* *access to attrs=krb5PrincipalName*
- by anonymous auth*
*# Kerberos attributes may only be accessible to root/ldapmaster* *access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
- by * none*
*# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable* *access to attrs=userPassword*
- by anonymous auth*
I use
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP by anonymous auth by self write by * none
when i do like : *ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
and i get something like that:
*SASL/GSSAPI authentication started* *ldap_sasl_interactive_bind_s: Insufficient access (50)*
additional info: SASL(-14): authorization failure: not authorized*