Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND authcid="aahmed@DOMAIN.COM" authzid="aahmed@DOMAIN.COM"
Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="uid=aahmed,ou=people,dc=domain,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56
Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SEARCH RESULT tag=101 err=0 nentries=11 text=
Thanks.
> Date: Fri, 1 Feb 2013 13:53:29 -0600
> From: dwhite@olp.net
> To: asabatgirl@hotmail.com
> CC: openldap-technical@openldap.org
> Subject: Re: client server connection to LDAP/Kerberos
>
> On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:
> >Hello,
> >
> >I recently added Kerberos authentication to my LDAP server, and I am trying
> >to connect the other servers to it.
> >I have a server running Davical shared calendar, and I hope to get it
> >working with my LDAP server again after Kerberos integration.
> >
> >Here is my configuration which was working before the integration and my
> >source is
> >"http://wiki.davical.org/w/Configuration/LDAP#Kerberos_Authentication"
> >
> > $c->authenticate_hook['config'] = array(
> > 'host' => 'ldap.domain.com', //host name of your LDAP Server
> > 'port' => '389', //port
> >// 'bindDN' => 'cn=admin,dc=domain,dc=com', //DN to bind request
> >// to this server (if required)
> >// 'passDN' => 'password', //Password of request bind
> > 'baseDNUsers' => 'ou=People,dc=domain,dc=com', //where to look for
> >valid user
> > 'filterUsers' => 'objectClass=*', //filter which must validate a user
> >according to RFC4515, i.e. surrounded by brackets
> > 'protocolVersion' => 3, // important for simple auth (no sasl)
> >// 'startTLS' => true, // securing your LDAP connection
> > 'i_use_mode_kerberos' => "i_know_what_i_am_doing",
> >
> >My slapd error logs:
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 fd=43 ACCEPT from
> >IP=203.28.247.193:56887 (IP=0.0.0.0:389)
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 BIND dn="" method=128
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 RESULT tag=97 err=0 text=
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH
> >base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH attr=uid
> >modifyTimestamp cn mail
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SEARCH RESULT tag=101
> >err=32 nentries=0 text=
> >Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=2 UNBIND
> >
> >My OLC configuration:
> >root@ldap:/var/log# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
> >"(|(cn=config)(olcDatabase={1}hdb))"
> >dn: cn=config
> >objectClass: olcGlobal
> >cn: config
> >olcArgsFile: /var/run/slapd/slapd.args
> >olcAuthzRegexp: {0}uid=([^,]+),cn=domain.com,cn=gssapi,cn=auth uid=$1
> > ,ou=people,dc=domain,dc=com
> >olcLogLevel: stats
> >olcPidFile: /var/run/slapd/slapd.pid
> >olcSaslRealm: DOMAIN.COM
> >olcToolThreads: 1
> >
> >dn: olcDatabase={1}hdb,cn=config
> >objectClass: olcDatabaseConfig
> >objectClass: olcHdbConfig
> >olcDatabase: {1}hdb
> >olcDbDirectory: /var/lib/ldap
> >olcSuffix: dc=domain,dc=com
> >olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by *
> >no
> > ne
> >olcAccess: {1}to dn.subtree="ou=krb5,dc=domain,dc=com" by dn="c
> > n=adm-srv,ou=krb5,domain,dc=com" write by dn="cn=kdc-srv,ou
> > =krb5,domain,dc=com" read by * none
> >olcAccess: {2}to attrs=loginShell,gecos by self write by users read by *
> >none
> >olcAccess: {3}to dn.base="" by * read
> >olcAccess: {4}to * by users read by * none
> >olcLastMod: TRUE
> >olcRootDN: uid=admin,ou=people,domain,dc=com
> >
> >
> >Any suggestion to fix the binding and get my search working again with
> >kerberos authentication ?
> >
> >Thanks.
>
> Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y
> GSSAPI) on the server which is running davical?
>
> --
> Dan White