[Fedora-directory-users] FDS / PAM Integration Questions

Richard Megginson rmeggins at redhat.com
Tue Jan 30 02:27:38 UTC 2007 

Jonathan Schreiter wrote:
>> I think your best option is to just keep Kerberos for authentication, 
>> especially if you are already using it successfully for other apps.  
>> What problems did you have with SASL mapping?
>>     
>
> Hi Richad,
> Thanks for your reply.  I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping):
>
> objectclass: top
> objectclass: nsSaslMapping
> cn: mapname
> nsSaslMapRegexString: .*
> nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
> nsSaslMapFilterTemplate: (cn=&) 
>   
Hmm - this doesn't seem quite right.  For one (cn=&) is not the correct 
syntax.  What does & mean here?  If by & you mean "the entire string 
matched by nsSaslMapRegexString" then this means you expect a SASL 
username of something like "John Doe" which is mapped to an entry with 
cn=John Doe under ou=People.  But this still won't work unless you do 
something like this:

nsSaslMapRegexString: \(.*\)
...
nsSaslMapFilterTemplate: (cn=\1)

You have to use the escaped parentheses in the regexstring to put the match into a matching group (referenced by \1).  But I still don't think this will work unless you have a very nonstandard Kerberos set up.  The regex string is supposed to match against the Kerberos principal, which is usually something like jdoe at DOMAIN.COM, or the domain is omitted and the principal sent to the DS is just "jdoe".  The examples at http://directory.fedora.redhat.com/wiki/Howto:Kerberos describe both of these situations.


> On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd.  (I've done a ktdump to this file from kadmin).
>
> On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to:
> host: myfds.example.com
> base dc=example, dc=com
> SASL_MECH GSSAPI
> SASL_REALM MYEXAMPLE.COM
> use_sasl on
> sasl_auth_id nssldap/myclient.myexample.com
>
> When trying to do an ldapwoami I recieve:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>   additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied).
>
> I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS.
>
> One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like).
You're pretty close, just refer to 
http://directory.fedora.redhat.com/wiki/Howto:Kerberos
> Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap.  
>   
What settings?
> Any help would be appreciated.
>
> Regards,
> Jonathan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070129/b5f240da/attachment.bin>

More information about the Fedora-directory-users mailing list