On Sat, Mar 07, 2015 at 10:59:39AM +0100, Michael Ströder wrote:
Jakub Hrozek wrote:
> On Fri, Mar 06, 2015 at 08:26:29PM +0100, Michael Ströder wrote:
>> Funny. It really works! (tested again)
>> With EXTERNAL you don't have to do anything special in your code except not
>> filtering out EXTERNAL being used as SASL mech because libldap will do
>> everything for you.
> Can you send me the logs for examination, please?
Do you mean the sssd logs?
Which log level would you like to see?
> The way I read the logs, only GSSAPI should be supported..so needless to
> say I'm a bit suprised.
The setup would not work if SASL bind EXTERNAL is not sent by sssd. I can see
in the OpenLDAP server's log that the authc-DN (cert subject DN) is correctly
rewritten to the accompanying LDAP authz-DN which definitely wouldn't be the
case for non-SASL/EXTERNAL bind.
The authz-DN-mapping in OpenLDAP's config:
See the sssd.conf attached.
Yes, can you also send me the sssd domain logs?
I re-read the logs again and you're right we don't seem to error out on
on anything else than GSSAPI (which is what I thought previously).
Nonetheless, it would be great to see the domain logs.