Jonathan Schreiter wrote:
Hmm - this doesn't seem quite right. For one (cn=&) is not the correct syntax. What does & mean here? If by & you mean "the entire string matched by nsSaslMapRegexString" then this means you expect a SASL username of something like "John Doe" which is mapped to an entry with cn=John Doe under ou=People. But this still won't work unless you do something like this:I think your best option is to just keep Kerberos for authentication, especially if you are already using it successfully for other apps. What problems did you have with SASL mapping?Hi Richad, Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping): objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: .* nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=comnsSaslMapFilterTemplate: (cn=&)
nsSaslMapRegexString: \(.*\) ... nsSaslMapFilterTemplate: (cn=\1) You have to use the escaped parentheses in the regexstring to put the match into a matching group (referenced by \1). But I still don't think this will work unless you have a very nonstandard Kerberos set up. The regex string is supposed to match against the Kerberos principal, which is usually something like jdoe@xxxxxxxxxx, or the domain is omitted and the principal sent to the DS is just "jdoe". The examples at http://directory.fedora.redhat.com/wiki/Howto:Kerberos describe both of these situations.
You're pretty close, just refer to http://directory.fedora.redhat.com/wiki/Howto:KerberosOn the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin). On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to: host: myfds.example.com base dc=example, dc=com SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl on sasl_auth_id nssldap/myclient.myexample.com When trying to do an ldapwoami I recieve: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied). I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS. One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like).
Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap.
What settings?
Any help would be appreciated. Regards, Jonathan -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
