Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem. My configs look like... kerberos attributes on the ldap php side are: **krb5KDCFlags* **krb5KeyVersionNumber* **krb5MaxLife* **krb5MaxRenew* **krb5PrincipalName*
objectClass *krb5Principal *krb5KDCEntry
sasl configs:
*log_level: -1* *pwcheck_method:auxprop saslauthd* *mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5* *auxprop_plugin: ldapdb* *ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///* *ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr* *ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY* *ldapdb_mech: GSSAPI EXTERNAL* *ldapdb_starttls: try*
My access list is : *access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below *sasl-regexp*
- uid=(.+),cn=(.+),cn=.+,cn=auth*
- ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))*
*sasl-regexp*
- uid=(.+),cn=.+,cn=auth*
- ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$
1@TEIPIR.GR))* *sasl-regexp*
- uidnumber=0\+gidnumber=0,cn=peercred,cn=external,cn=auth*
- cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*
*i have an idea of making work like the one below so as to give access to all of the users registered* *requiring them a password is that correct:*
*# This is needed so sasl-regexp/GSSAPI works correctly* *access to attrs=krb5PrincipalName*
- by anonymous auth*
*# Kerberos attributes may only be accessible to root/ldapmaster* *access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
- by * none*
*# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable* *access to attrs=userPassword*
- by anonymous auth*
*# Anything else we may have forgotten is writable by admin, and viewable by authenticated users* *access to dn.subtree="dc=teipir,dc=gr"*
- by users read*
when i do like : *ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
and i get something like that:
*SASL/GSSAPI authentication started* *ldap_sasl_interactive_bind_s: Insufficient access (50)*
additional info: SASL(-14): authorization failure: not authorizedor when i use any other command client side i have full access to the tree with no password required
2010/3/19 Dan White dwhite@olp.net
On 19/03/10 12:39 +0200, Μανόλης Βλαχάκης wrote:
Hallo there everyone
i hope you can help me with my issue cause it really bothers me for a week
i set up an ldap on gentoo and after modifying heimdal kerberos and tls i am stuck to that point: i get these errors...
additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
AS-REQ host/proof.teipir.gr@TEIPIR.GR http://teipir.gr/ from
IPv4:10.0.0.12 for krbtgt/TEIPIR.GR http://teipir.gr/@TEIPIR.GRhttp://teipir.gr/
2010-03-18T16:32:58 Client sent patypes: none 2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@ TEIPIR.GR http://teipir.gr/
2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/ proof.teipir.gr@TEIPIR.GR http://teipir.gr/
2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12
Is there one host involved or two, and do they both have valid credential caches (klist)?
Does your openldap user have access to /etc/krb5.keytab? What does your cyrus sasl config look like (if it exists)?
Assuming you're using an ldapsearch command from the client, what options are you passing?
Do you have any custom SASL config items in your openldap config (sasl-host, sasl-realm or sasl-secprops)?
-- Dan White