Jonathan Schreiter wrote: >> I think your best option is to just keep Kerberos for authentication, >> especially if you are already using it successfully for other apps. >> What problems did you have with SASL mapping? >> > > Hi Richad, > Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping): > > objectclass: top > objectclass: nsSaslMapping > cn: mapname > nsSaslMapRegexString: .* > nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com > nsSaslMapFilterTemplate: (cn=&) > Hmm - this doesn't seem quite right. For one (cn=&) is not the correct syntax. What does & mean here? If by & you mean "the entire string matched by nsSaslMapRegexString" then this means you expect a SASL username of something like "John Doe" which is mapped to an entry with cn=John Doe under ou=People. But this still won't work unless you do something like this: nsSaslMapRegexString: \(.*\) ... nsSaslMapFilterTemplate: (cn=\1) You have to use the escaped parentheses in the regexstring to put the match into a matching group (referenced by \1). But I still don't think this will work unless you have a very nonstandard Kerberos set up. The regex string is supposed to match against the Kerberos principal, which is usually something like jdoe at DOMAIN.COM, or the domain is omitted and the principal sent to the DS is just "jdoe". The examples at http://directory.fedora.redhat.com/wiki/Howto:Kerberos describe both of these situations. > On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin). > > On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to: > host: myfds.example.com > base dc=example, dc=com > SASL_MECH GSSAPI > SASL_REALM MYEXAMPLE.COM > use_sasl on > sasl_auth_id nssldap/myclient.myexample.com > > When trying to do an ldapwoami I recieve: > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied). > > I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS. > > One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like). You're pretty close, just refer to http://directory.fedora.redhat.com/wiki/Howto:Kerberos > Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. > What settings? > Any help would be appreciated. > > Regards, > Jonathan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070129/b5f240da/attachment.bin
