OpenLDAP + Kerberos +smbldap-tools

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenLDAP + Kerberos +smbldap-tools

Luciano Bolonheis
Hi,
i'm beginning to use kerberos, and I have to make it work with Samba and LDAP.
I'm trying to use smbldap-tools from Idealx to add my users in LDAP database.
But when I try to add something with it, i get a answer: "err=8
text=modifications require authentication".
Do someone know what is it?
in my slapd.conf: rootdn=cn=Manager,ou=mga,ou=prpr,o=mpf
                          rootpw={KERBEROS}[hidden email]

the ticket to ldapadm is valid

what else should be done?

thanks
Luciano Bolonheis

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: OpenLDAP + Kerberos +smbldap-tools

Michael Marziani
This is probably a question for the OpenLDAP list, but I'm pretty sure that
openldap doesn't support kerberos authentication natively, they chose to go
with SASL instead which supports the GSSAPI method which supports Kerberos 5.
So I don't think you can use the entry you use for the 'rootpw' directive.

I set up Kerberos + OpenLDAP for our environment except I wrote my own tools to
manage users/groups.  In my environment I've disabled the rootdn and instead
enforce GSSAPI authentication using these ACL entries in slapd.conf:

# Users with /admin principals can change anything
# Read access for everyone else
access to *
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

So then if you have a valid Kerberos ticket and you have SASL with GSSAPI
method and you have SASL compiled into OpenLDAP, you should be good to go.
Check to see what SASL authentication methods your LDAP server supports with
the following command:

ldapsearch -H ldap://localhost -x -b "" -s base -LLL supportedSASLMechanisms

If GSSAPI isn't listed, then SASL isn't installed correctly, wasn't compiled
with the GSSAPI method, and/or OpenLDAP isn't compiled with SASL support.

If everything is set up properly, I think you can use {SASL} instead of
{KERBEROS} for the rootpw entry but I'm not sure.

Hope this helps,

-Michael



I'm going to take a shot in the dark on this

--- Luciano Bolonheis <[hidden email]> wrote:

> Hi,
> i'm beginning to use kerberos, and I have to make it work with Samba and
> LDAP.
> I'm trying to use smbldap-tools from Idealx to add my users in LDAP database.
> But when I try to add something with it, i get a answer: "err=8
> text=modifications require authentication".
> Do someone know what is it?
> in my slapd.conf: rootdn=cn=Manager,ou=mga,ou=prpr,o=mpf
>                           rootpw={KERBEROS}[hidden email]
>
> the ticket to ldapadm is valid
>
> what else should be done?
>
> thanks
> Luciano Bolonheis
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos