FDS / PAM Integration Questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Richard,
I should have probably provided more detail.  I followed the HOWTO:kerberos and entered the config - sasl - mapping as it explained, namely:

dn: cn=mapname,cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: mapname
nsSaslMapRegexString: \(.*\)@\(.*\)
nsSaslMapBaseDNTemplate: uid=\1,dc=myexample,dc=com
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)

And that poduces the same SASL GSSAPI errors as in the last post.  The link on that HOWTO that points to the SASL configurations shows the other configuraton paramaters (the ones that I also tried and posted in my last message).  The install isa standard user at mydomain.com so you're probably correct and I've canged that entry to the above settings.

The SASL documenation:
Configuring SASL Identity Mapping from the Console 
In the Console, open the Directory Server. 
Open the "Configuration" tab. 
Select the "SASL Mapping" tab. 
To add new SASL identities, select the "Add" button, and fill in the required values. 

The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it wasn't clear if this was required or not.  Can you confirm?  If it is required, what would the fields be filled with - do we need to link to the dn: cn=mapname,cn=mapping,cn=sasl,cn=config above?

Also, because the service principal that FDS is going to use is ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to work...such as:

dn: cn=mapname2,cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: mapname
nsSaslMapRegexString:  [^/]+/\(.+\)
nsSaslMapBaseDNTemplate: uid=\1,ou=hosts,dc=myexample,dc=com
nsSaslMapFilterTemplate: .*


> Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap.  
>   
What settings?

The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or SASL on the FDS sites), but they are:
SASL_MECH GSSAPI
SASL_REALM MYEXAMPLE.COM
use_sasl_on
sasl_auhid nssldap/myclient.myexample.com

I've tried with and without these settings and I still get the the error: invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied).  When I set these, I beleve it is used for default settings (such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami).

Any thoughts would be appreciated!

Many thanks again,
Jonathan
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux