Jonathan Schreiter wrote:
If you don't need the DOMAIN part, you can omit the second set of parentheses and just haveHi Richard, I should have probably provided more detail. I followed the HOWTO:kerberos and entered the config - sasl - mapping as it explained, namely: dn: cn=mapname,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: \(.*\)@\(.*\)
\(.*\)@.*
Do your users have a DN of uid=jdoe,dc=myexample,dc=com or uid=jdoe,ou=People,dc=myexample,dc=com? If the latter, then this won't work. You'll have to usensSaslMapBaseDNTemplate: uid=\1,dc=myexample,dc=com
nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=myexample,dc=comThis is good if you are sure that all of your users' entries are under ou=People and have a uid that matches the principal name.
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
Or, just use nsSaslMapBaseDNTemplate: ou=People,dc=myexample,dc=com nsSaslMapFilterTemplate: (uid=\1)
If you've added the above entry using ldapmodify or by editing dse.ldif, then you do not have to add it with the console - although it is a good idea to use the console to add this configuration unless you really know what you're doing, because you'll have to add the cn=mapping entry parent before the cn=mapname child config entry.And that poduces the same SASL GSSAPI errors as in the last post. The link on that HOWTO that points to the SASL configurations shows the other configuraton paramaters (the ones that I also tried and posted in my last message). The install isa standard user@xxxxxxxxxxxx so you're probably correct and I've canged that entry to the above settings. The SASL documenation:Configuring SASL Identity Mapping from the Console In the Console, open the Directory Server. Open the "Configuration" tab. Select the "SASL Mapping" tab. To add new SASL identities, select the "Add" button, and fill in the required values.The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it wasn't clear if this was required or not. Can you confirm?
If it is required, what would the fields be filled with - do we need to link to the dn: cn=mapname,cn=mapping,cn=sasl,cn=config above?
I'm not sure what you mean.
No, not unless FDS is going to use it's service principal to do a SASL/GSSAPI BIND to another FDS.Also, because the service principal that FDS is going to use is ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to work...such as:
dn: cn=mapname2,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: [^/]+/\(.+\) nsSaslMapBaseDNTemplate: uid=\1,ou=hosts,dc=myexample,dc=com nsSaslMapFilterTemplate: .*Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap.What settings? The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or SASL on the FDS sites), but they are: SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl_on sasl_auhid nssldap/myclient.myexample.com I've tried with and without these settings and I still get the the error: invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied). When I set these, I beleve it is used for default settings (such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami).
Ok. Those are client side settings that do not affect Fedora DS.
Any thoughts would be appreciated! Many thanks again, Jonathan -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
