Hii List,
I am trying to get LDAP with SASL-GSSAPI mechanism. I have openldap-2.4.7 on RHEL 4. I have installed Cyrus sasl-2.1.21. I have compiled LDAP with cyrus SASL support as: [root@as3 libexec]# env LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.6/lib:/usr/loc al/lib/sasl2:/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include -I/usr/local/ssl/include -I/usr/local/include" LDFLAGS="-L/usr/local/ssl/lib -L /usr/local/BerkeleyDB.4.6/lib -L/usr/local/lib/sasl2 " LIBS=-ldl ./configure --with-tls=openssl --with-cyrus-sasl
It was fine.
SASL was compiled as: $ ./configure --disable-cram --disable-digest --disable-krb4 --disable-otp --enable-gssapi --with-gss_impl=mit
In /usr/lib/sasl2,it has
[root@as3 sasl2]# ls libgssapi* libgssapiv2.la libgssapiv2.so libgssapiv2.so.2 libgssapiv2.so.2.0.19
When I run : [root@as3 libexec]# saslauthd -V saslauthd 2.1.21 authentication mechanisms: getpwent rimap shadow
I also have a working kerberos .I am able to get tickets from kerberos.I have added ldap host principal to kerberos database.
I have my slapd.conf as: (sasl related part)
sasl-host as3 sasl-realm BSNL.COM authz-regexp uid=([^,]*),cn=bsnl.com,cn=gssapi,cn=auth uid=$1,ou=people,dc=bsnl,dc=com
(Also,I have added the first two lines after seing some mailing list.In the admin guide nothing was mentioned about adding the two lines.Please tell me whether it is correct?)
According to HOWTO doc from www.bayour.com,when we query ldap for supportedSASLMechanisms,it should show GSSAPI(my whole purpose).But when I give the following:
[root@as3 openldap]# /usr/bin/ldapsearch -H "ldaps://:12345" -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN
Does it mean that LDAP was not built with SASL support?
I have slapd.conf in /usr/lib/sasl2 as: pwcheck_method: /usr/sbin/saslauthd saslauthd_path: /var/run/saslauthd/mux mech_list: plain login ntlm kerberos5
I am not able to get SASL-GSSAPI as supportedSASLMechanism.From where does the LDAP get this list? What should I do to add one more mechanism to supportedSASLMechanisms list? What may be the problem.....? Please guide me....I was struck at this point and not able to come out
Thanx a lot in advance.....
Thanx and Regards, Padmavathi
=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Padmavathi Dt wrote:
Hii List,
I am trying to get LDAP with SASL-GSSAPI mechanism.
In /usr/lib/sasl2,it has
[root@as3 sasl2]# ls libgssapi* libgssapiv2.la libgssapiv2.so libgssapiv2.so.2 libgssapiv2.so.2.0.19
To verify the cyrus sasl mechanism is installed correctly, see the command 'pluginviewer'. For example:
neo:~# pluginviewer -s | grep -i GSSAPI pluginviewer: SASL Other: OTP: auxprop backend can't store properties CRAM-MD5 PLAIN NTLM GSSAPI OTP DIGEST-MD5 ANONYMOUS LOGIN EXTERNAL Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
I also have a working kerberos .I am able to get tickets from kerberos.I have added ldap host principal to kerberos database.
I have my slapd.conf as: (sasl related part)
sasl-host as3 sasl-realm BSNL.COM authz-regexp uid=([^,]*),cn=bsnl.com,cn=gssapi,cn=auth uid=$1,ou=people,dc=bsnl,dc=com
I don't believe any of these commands should be necessary for the GSSAPI mechanism to show up in the ldapsearch below.
(Also,I have added the first two lines after seing some mailing list.In the admin guide nothing was mentioned about adding the two lines.Please tell me whether it is correct?)
According to HOWTO doc from www.bayour.com,when we query ldap for supportedSASLMechanisms,it should show GSSAPI(my whole purpose).But when I give the following:
[root@as3 openldap]# /usr/bin/ldapsearch -H "ldaps://:12345" -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN
Does it mean that LDAP was not built with SASL support?
This could mean that openldap is not able to find a keytab containing the proper kerberos principal, or some other problem which prevents it initialing GSSAPI.
I have slapd.conf in /usr/lib/sasl2 as: pwcheck_method: /usr/sbin/saslauthd saslauthd_path: /var/run/saslauthd/mux mech_list: plain login ntlm kerberos5
kerberos5 doesn't look right. It should be 'gssapi'. My /usr/lib/sasl2/slapd.conf happens to look like:
keytab: /etc/krb5.keytab-ldap pwcheck_method: auxprop saslauthd auxprop_plugin: slapd
Specifying mech_list isn't necessary.
- Dan
On Tuesday 15 April 2008 11:53:07 Padmavathi Dt wrote:
Hii List,
I am trying to get LDAP with SASL-GSSAPI mechanism.
This should have solved your problem on a clean install:
up2date cyrus-sasl-gssapi or yum install cyrus-sasl-gssapi
But, you've butchered your box, so you can't be guaranteed that this will work any more.
BTW, you would have had a better result (regarding OpenLDAP 2.4 installation) with less effort by looking at http://staff.telkomsa.net/packages/rhel4/openldap/
Regards, Buchan
openldap-software@openldap.org
-
Buchan Milne -
Dan White -
Padmavathi Dt