Hi,
I''m working on getting SASL up and running with FDS 1.0.2 and have
run into some problems. It seems that the SASL Mappings are being
completely ignored.
Here is my setup:
Kerberos domain of SUB.BLAH.EDU
Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu
This is the map entry (the only map entry that I have):
# map1, mapping, sasl, config
dn: cn=map1,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: map1
nsSaslMapRegexString: (.*)/admin@.*
nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu
nsSaslMapFilterTemplate: (objectclass=*)
I''ve restarted the service which doesn''t seem to fix it.
When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the
following error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-14): authorization failure:
when I kinit with rob, it works without a problem
Does anyone have any suggestions, or have I run into a bug of some sort ?
Also is there any way to turn up the log level to get more info ?
Thanks,
-Rob
Rob See wrote:> Hi, > > I''m working on getting SASL up and running with FDS 1.0.2 and have > run into some problems. It seems that the SASL Mappings are being > completely ignored. > > Here is my setup: > > Kerberos domain of SUB.BLAH.EDU > Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu > > This is the map entry (the only map entry that I have): > > # map1, mapping, sasl, config > dn: cn=map1,cn=mapping,cn=sasl,cn=config > objectClass: top > objectClass: nsSaslMapping > cn: map1 > nsSaslMapRegexString: (.*)/admin@.* > nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu > nsSaslMapFilterTemplate: (objectclass=*) > > I''ve restarted the service which doesn''t seem to fix it. > > When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the > following error: > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-14): authorization failure: > > when I kinit with rob, it works without a problem > > Does anyone have any suggestions, or have I run into a bug of some sort ?Does this help? - http://directory.fedora.redhat.com/wiki/Howto:Kerberos> > Also is there any way to turn up the log level to get more info ?Sure. You can use the TRACE level in the error log.> > Thanks, > -Rob > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
In case someone ends up with the same problem in the future, it appears that in the regex string you must escape the ( and ) with \, and the realm should be excluded from the regex if both the server and client are using the same realm... example: make the regex \(.*\)/admin not \(.*\)/admin@.* -Rob Richard Megginson wrote:> Rob See wrote: >> Hi, >> >> I''m working on getting SASL up and running with FDS 1.0.2 and have >> run into some problems. It seems that the SASL Mappings are being >> completely ignored. >> >> Here is my setup: >> >> Kerberos domain of SUB.BLAH.EDU >> Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu >> >> This is the map entry (the only map entry that I have): >> >> # map1, mapping, sasl, config >> dn: cn=map1,cn=mapping,cn=sasl,cn=config >> objectClass: top >> objectClass: nsSaslMapping >> cn: map1 >> nsSaslMapRegexString: (.*)/admin@.* >> nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu >> nsSaslMapFilterTemplate: (objectclass=*) >> >> I''ve restarted the service which doesn''t seem to fix it. >> >> When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the >> following error: >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> additional info: SASL(-14): authorization failure: >> >> when I kinit with rob, it works without a problem >> >> Does anyone have any suggestions, or have I run into a bug of some >> sort ? > Does this help? - http://directory.fedora.redhat.com/wiki/Howto:Kerberos>> >> Also is there any way to turn up the log level to get more info ? > Sure. You can use the TRACE level in the error log. >> >> Thanks, >> -Rob >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:446b8cb0247181471131949! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:446b8cb0247181471131949! >