Benutzer:Philip/Kerberos and LDAP: Unterschied zwischen den Versionen

← Zum vorherigen Versionsunterschied

VisuellWikitext

@@ Zeile 1: / Zeile 1: @@
 =Kerberos, SASL and OpenLDAP=
-''This is a small write-up to get openldap running with sasl/gssapi and kerberos 5. Thanks to '''sxw@irc.freenode.net''', who happened to just know what to do (in contradiction to the various crappy howtos out there)''
+''This is a small memo to get openldap running with sasl/gssapi and kerberos 5. Thanks to '''sxw@irc.freenode.net''', who happened to just know what to do (in contradiction to the various crappy howtos out there)''
 It is based on:
@@ Zeile 58: / Zeile 58: @@
 : in one terminal (as root, on the server):
   export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
-  ./sample-server.strace ./sample-server -s ldap
+  ./sample-server -s ldap
 : in another terminal (on the client):
@@ Zeile 87: / Zeile 87: @@
 ===setup SASL<->LDAP user mapping===
 * now, depending on your ldap setup, add something along the lines of
-  saslRegexp    uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///ou=Users,o=organisation,c=org?sub?uid=$1
+  saslRegexp    uid=(.*),cn=<realm>,cn=gssapi,cn=auth ldap:///ou=Users,o=organisation,c=org?sub?uid=$1
 : or
-  saslRegexp    uid=(.*),cn=<realm>,cn=gssapi,cn=auth ldap:///ou=Users,o=$2,c=org?sub?uid=$1
+  saslRegexp    uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///ou=Users,o=$2,c=org?sub?uid=$1
 : depending on if you want to authenticate against more than one realm.
@@ Zeile 111: / Zeile 111: @@
 ==FAQ==
-Please feel free to add questions here. I will answer then within a few days (questions by email have a lesser chance to be answered ;))
+Please feel free to add questions here. I will answer them within a few days (questions by email have a lesser chance to be answered ;))
+HI
+I read your howto. it is great but i have a few questions. Im usin debian etch and i cant see any diffrences between ubuntu and etch.
+I configured sasl and tested it but ive used sasl-sample-server and client from sasl2-bin package. when i followe tutoriam it seems ok. but I found in cyrus-sasl docs options, mech_list: GSSAPI and  keytab option.
+You used mech_list. I thought if keytab option shows path to keytab file why don't use it instead export KRB5_KTNAME i thing the effect shoult be the same.
+But unfortunately i get this error
+sasl-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (No such file or directory)
+sasl-sample-server: Starting SASL negotiation: generic failure (generic failure)
+it shows when i dont export KRB5_KTNAME.
+Do you know why it is not working?
+If I edit /etc/default/slapd where exacly i shoutld export KRB5...
+This is the file:
+"# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
+SLAPD_PIDFILE=
+# Configure if the slurpd daemon should be started. Possible values:
+# - yes:   Always start slurpd
+# - no:    Never start slurpd
+# - auto:  Start slurpd if a replica option is found in slapd.conf (default)
+SLURPD_START=auto
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+# Additional options to pass to slapd and slurpd
+SLAPD_OPTIONS=""
+export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
+SLURPD_OPTIONS=""
+"
+is this good place. I'm new with sasl and rest.
+thank for help
+Wojtek Giel
 ==Notes==
 If you find a place where this Howto seems most appropriate to you, please feel free to copy it there. But please drop me a note so that I can still update it: philip (at) linuxteam (dot) at.