Re: OpenLDAP + Kerberos +smbldap-tools

From: mdmarziani@xxxxxxxxx (Michael Marziani)
Date: Thu, 21 Jul 2005 11:57:48 -0700 (PDT)

This is probably a question for the OpenLDAP list, but I'm pretty sure that
openldap doesn't support kerberos authentication natively, they chose to go
with SASL instead which supports the GSSAPI method which supports Kerberos 5.
So I don't think you can use the entry you use for the 'rootpw' directive.

I set up Kerberos + OpenLDAP for our environment except I wrote my own tools to
manage users/groups. In my environment I've disabled the rootdn and instead
enforce GSSAPI authentication using these ACL entries in slapd.conf:

# Users with /admin principals can change anything
# Read access for everyone else
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read

So then if you have a valid Kerberos ticket and you have SASL with GSSAPI
method and you have SASL compiled into OpenLDAP, you should be good to go.
Check to see what SASL authentication methods your LDAP server supports with
the following command:

ldapsearch -H ldap://localhost -x -b "" -s base -LLL supportedSASLMechanisms

If GSSAPI isn't listed, then SASL isn't installed correctly, wasn't compiled
with the GSSAPI method, and/or OpenLDAP isn't compiled with SASL support.

If everything is set up properly, I think you can use {SASL} instead of
{KERBEROS} for the rootpw entry but I'm not sure.

Hope this helps,

-Michael

I'm going to take a shot in the dark on this

--- Luciano Bolonheis <bolonheis@xxxxxxxxx> wrote:

> Hi,
> i'm beginning to use kerberos, and I have to make it work with Samba and
> LDAP.
> I'm trying to use smbldap-tools from Idealx to add my users in LDAP database.
> But when I try to add something with it, i get a answer: "err=8
> text=modifications require authentication".
> Do someone know what is it?
> in my slapd.conf: rootdn=cn=Manager,ou=mga,ou=prpr,o=mpf
> rootpw={KERBEROS}ldapadm@xxxxxxxxxxxxxxxxxxx
>
> the ticket to ldapadm is valid
>
> what else should be done?
>
> thanks
> Luciano Bolonheis
>
> ________________________________________________
> Kerberos mailing list Kerberos@xxxxxxx
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

References:
- OpenLDAP + Kerberos +smbldap-tools
  - From: Luciano Bolonheis

Prev by Date: Re: Authenticating Mac OSX 10.3.X to Kerberos using LDAP.
Next by Date: Sample kinit (with Kerberos/Apache/Windows Server )
Previous by thread: OpenLDAP + Kerberos +smbldap-tools
Next by thread: Sample kinit (with Kerberos/Apache/Windows Server )
Index(es):
- Date
- Thread

Relevant Pages

Re: Samba authentication to Kerberos via OpenLDAP, third and last try
... what you're looking for is SASL authd support in OpenLDAP. ... Assuming you've built OpenLDAP with the --with-spasswd option, ... This is all OpenLDAP and SASL, though, not Kerberos. ... I know I can do Kerberos authentication directly from Samba, ...
(comp.protocols.kerberos)
Re: create principals fails
... the kerberos authentication works befor i wanted openldap as back-end. ... But when i try to create principals ...
(comp.protocols.kerberos)
Setting up Kerberos, Cyrus-SASL, OpenLDAP
... I'm trying to move my home lan to network authentication. ... I should configure and bring up Kerberos, then Cyrus-SASL, then ... OpenLDAP, since each will depend on the one before. ... only a test account be loaded in under Kerberos, and real accounts ...
(comp.os.linux.security)
OpenLDAP with Kerberos
... recently I tried to configure kerberos under openldap. ... i just want to add some users from openldap using kerberos authentication ... LDAP Connection Timeout = 5000 mili-secs ...
(comp.protocols.kerberos)
Re: help
... I am bit confused about cyrus SASL and GSSAPI ... Now i need to use GSSAPI for authentication using GSSAPI ... If you are adding Kerberos authentication to your own ...
(comp.protocols.kerberos)