On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far. I've already set up MIT Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima Password for diego.lima@USERS: root@filesystem:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: diego.lima@USERS
Valid starting Expires Service principal 06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456 0: OK "Success."
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
When doing a SASL bind, you should specify the same username that you are authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of a -D option:
ldapwhoami -U diego.lima@USERS
I see nothing on the saslauthd output when I try to log in. Did I miss anything? Please note that I'm trying to use the same kerberos principal as my user, and this is intended. I did try adding another user (account and posixAccount objectClasses) with a separate kerberos principal and that did not work either.
By default, the cyrus sasl library will not use saslauthd. You'll need to create a /usr/lib/sasl2/slapd.conf file with:
pwcheck_method: saslauthd