>I think your best option is to just keep Kerberos for authentication, >especially if you are already using it successfully for other apps. >What problems did you have with SASL mapping? Hi Richad, Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping): objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: .* nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=&) On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin). On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to: host: myfds.example.com base dc=example, dc=com SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl on sasl_auth_id nssldap/myclient.myexample.com When trying to do an ldapwoami I recieve: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied). I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS. One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like). Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. Any help would be appreciated. Regards, Jonathan
