Am Fri, 21 Jan 2011 11:45:53 +0100 schrieb Thomas Schweikle tps@vr-web.de:
Hi!
I kerberized ldap: dn: cn=config objectClass: olcGlobal cn: config olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth uid=$1,ou=Users,dc=example,dc=com olcSaslHost: srv.example.com olcSaslRealm: EXAMPLE.COM
In /etc/ldap/ldap.conf: BASE dc=example,dc=com URI ldap://srv.example.com SASL_MECH GSSAPI
In /etc/ldap.conf base dc=example,dc=com uri ldap://srv.example.com ldap_version 3 rootbinddn cn=adm,dc=example,dc=com pam_password md5
This is not an OPenLDAP configuration file.
I now try to connect to my ldap server:
client:~$ ldapsearch -H ldap://srv.example.com SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
It seems that slapd doesn't have knowledge of sasl mechanism GSSAPI, check with ldapsearch -x -LLL -H ldap://srv.example.com -b "" -s base \ suportedSASLmechanisms
client:~$ ldapsearch -D uid=user,dc=example,dc=com -H ldap://srv.example.com ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed
You want to do a sasl bind with GSSAPI mechanism
ldapsearch -Y GSSAPI -H ldap://srv.example.com
-Dieter