Re: FDS, Kerberos, SASL confusion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hintermayer Johannes wrote:
#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v ldap_initialize( <DEFAULT> ) 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (Permission denied)
I see that having fixed your permissions, that error is now "SASL(-14): authorization failure:". Is there any more information in the error logs? 


I have tried several combinations of config files and password entries
but none worked.
As far as I know, the userpassword contents are evaluated by OpenLDAP, but not by Fedora DS. That attributes contents shouldn't make any difference when you're using GSSAPI authentication. You can delete the attribute if you're not storing an actual password. 


1. Do I need saslauthd on every client which I want to authenticate via
FDS/Kerberos?


No.  You don't need to configure it on the server, either.


2. Do I need a host principal for every client?
No. You don't even need one on the server for authenticating LDAP connections. 


Here is my current configuration, please correct me if there are some
unneeded files (these were built together from several tutorials):

/etc/krb5.conf


That looks fine.


/etc/ldap.conf

host 172.16.50.2
base dc=afb,dc=lan
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
SASL_MECH GSSAPI
SASL_REALM AFB.LAN
use_sasl on
sasl_auth_id ldap/vafbds01.afb.lan
I'm not sure how much of the SASL stuff is required. I don't have any of it in my own configs. Try commenting all of the SASL related lines, and see if anything changes. 


/etc/sysconfig/saslauthd


You don't need saslauthd.


/usr/lib/sasl2/slapd.conf


...nor do you need this.


SASL Mapping:
nssaslmapfiltertemplate: (uid=\1)
nssaslmapregexstring: \(.*\)@\(.*\)
Under what DN are you storing that? Have you tried without the '\' characters in nssaslmapregexstring? The Howto disagrees with the manual about this... I don't use '\' characters in my working configuration. 


/opt/fedora-ds/slapd-vafbds01/start-slapd contains:
"export KRB5_KTNAME=/etc/krb5.keytab"
In order to protect your host keytab, you should store the LDAP server's keytab in a different file. The host keytab should be readable only by root. 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux