Chastity Blackwell wrote:
On Thu, 2012-01-26 at 17:38 -0500, Howard Chu wrote:
Raffael Sahli wrote:
No, authz-regexp is to map a sasl dn to a real user account in your ldap directory.
But your user is chas@test.com with a realm named test.com, your userPassword should be {SASL}chas@KRBTEST
What the heck are you talking about? If the username is chas@test.com then that is what goes in the password:
userpassword: {SASL}chas@test.com
If the realm is actually KRBTEST then the username should be chas@KRBTEST.
and also exists as a principal on your kerberos db ;)
Okay, I'm a little confused here now.
Clearly.
So here's what I have in krb5.conf:
Does kinit work for your chas@KRBTEST user? Judging from what you've pasted here, I don't think it should. Get your basic Kerberos installation working first. Take things one step at a time.
[libdefaults] default_realm = KRBTEST dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] AKTEST = { kdc = ldapsandbox.test.com:88 admin_server = ldapsandbox.test.com:749 default_domain = test.com }
[domain_realm] .agkn.net = KRBTEST agkn.net = KRBTEST
And when I look at my principals in Kerberos, this is what I have:
kadmin: listprincs K/M@KRBTEST chas/admin@KRBTEST chas@KRBTEST host/ldapsandbox.test.com@KRBTEST kadmin/admin@AKTEST kadmin/changepw@AKTEST kadmin/history@AKTEST kadmin/ldapsandbox.test.com@KRBTEST krbtgt/KRBTEST@KRBTEST ldap/ldapsandbox.test.com@KRBTEST root/admin@KRBTEST
So what should the userPassword attribute be set to? I assumed it should be {SASL}chas@KRBTEST -- is that correct? I just want to make sure I'm on the right track there.