Dan White wrote:
On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far.
The userPassword value translates to {SASL}diego.lima@USERS
IMO that's not needed for SASL/GSSAPI.
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
When doing a SASL bind, you should specify the same username that you are authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of a -D option:
ldapwhoami -U diego.lima@USERS
He would also have to specify -Y GSSAPI. And off course slapd has to be kerberized first to make this work.
By default, the cyrus sasl library will not use saslauthd. You'll need to create a /usr/lib/sasl2/slapd.conf file with:
pwcheck_method: saslauthd
Are you sure that's suitable for SASL/GSSAPI for Krb5? Frankly I have some doubts because that's for password-based mechs.
Ciao, Michael.