Howdy,
I've tried unsuccessfully to get DS to authenticate users with sasl. I have a slapd.conf in /var/lib/sasl2 that looks like this:
pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
and a sasl-mapping that looks like this:
Regex: .* Search Base DN: ou=People, dc=my, dc=domain, dc=fi Search Filter: (uid=&)
It looks like the sasl-mapping is ignored, and saslauthd with debugging on shows no authentication requests. When I run testsaslauthd with valid user information it seems to authenticate just fine. Does anybody have any hints, or an example of a working setup?
FDS supports two SASL authentication mechanisms at present:
EXTERNAL GSSAPI
It doesn't use the /var/lib/sasl2/slapd.conf configuration style.
Kalle Kivistö wrote:
Howdy,
I've tried unsuccessfully to get DS to authenticate users with sasl. I have a slapd.conf in /var/lib/sasl2 that looks like this:
pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
and a sasl-mapping that looks like this:
Regex: .* Search Base DN: ou=People, dc=my, dc=domain, dc=fi Search Filter: (uid=&)
It looks like the sasl-mapping is ignored, and saslauthd with debugging on shows no authentication requests. When I run testsaslauthd with valid user information it seems to authenticate just fine. Does anybody have any hints, or an example of a working setup?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Fri, 2005-08-26 at 06:02 -0600, David Boreham wrote:
FDS supports two SASL authentication mechanisms at present:
EXTERNAL GSSAPI
It doesn't use the /var/lib/sasl2/slapd.conf configuration style.
Hmm... What I'm trying to accomplish here is a configuration where users authenticate to the ldap server with username/password (no kerberos ticket) and their password is checked from kerberos. Is this possible to do with the standard plugins? I've had a hard time trying to figure out how to do this... =) The idea in this is that we'd like to have a single service for authenticating users, even for services that do not support kerberos.
If it's not possible, I'll look into writing a plugin that does this.
Hmm... What I'm trying to accomplish here is a configuration where users authenticate to the ldap server with username/password (no kerberos ticket) and their password is checked from kerberos. Is this possible to do with the standard plugins? I've had a hard time trying to figure out how to do this... =) The idea in this is that we'd like to have a single service for authenticating users, even for services that do not support kerberos.
This isn't supported in the current code.
If it's not possible, I'll look into writing a plugin that does this.
Sounds good. First you'd need to figure out how to perform a proxied authentiation against kerberos. With the existing SASL/GSSAPI mechanism we don't need to do that because we're simply passing through the authentication payload between GSSAPI and the client. Presumably you'd need to do whatever 'kinit' does, but inside the DS.
David Boreham wrote:
Hmm... What I'm trying to accomplish here is a configuration where users authenticate to the ldap server with username/password (no kerberos ticket) and their password is checked from kerberos. Is this possible to do with the standard plugins? I've had a hard time trying to figure out how to do this... =) The idea in this is that we'd like to have a single service for authenticating users, even for services that do not support kerberos.
This isn't supported in the current code.
If you just want to do LDAP SIMPLE BINDs with username/password (hopefully over a TLS connection), and use the Kerberos password instead of the userPassword attribute, you can use the PAM passthru bind plugin. You will have to grab the Fedora DS source and build it. What this does is pass the BIND authentication request to PAM, which you can configure to go to Kerberos for authentication.
If it's not possible, I'll look into writing a plugin that does this.
Sounds good. First you'd need to figure out how to perform a proxied authentiation against kerberos. With the existing SASL/GSSAPI mechanism we don't need to do that because we're simply passing through the authentication payload between GSSAPI and the client. Presumably you'd need to do whatever 'kinit' does, but inside the DS.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
FDS supports two SASL authentication mechanisms at present:
EXTERNAL GSSAPI
It doesn't use the /var/lib/sasl2/slapd.conf configuration style.
Kalle Kivistö wrote:
Howdy,
I've tried unsuccessfully to get DS to authenticate users with sasl. I have a slapd.conf in /var/lib/sasl2 that looks like this:
pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
and a sasl-mapping that looks like this:
Regex: .* Search Base DN: ou=People, dc=my, dc=domain, dc=fi Search Filter: (uid=&)
It looks like the sasl-mapping is ignored, and saslauthd with debugging on shows no authentication requests. When I run testsaslauthd with valid user information it seems to authenticate just fine. Does anybody have any hints, or an example of a working setup?
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org