OpenLDAP + Kerberos +smbldap-tools - Kerberos

This is a discussion on OpenLDAP + Kerberos +smbldap-tools - Kerberos ; Hi, i'm beginning to use kerberos, and I have to make it work with Samba and LDAP. I'm trying to use smbldap-tools from Idealx to add my users in LDAP database. But when I try to add something with it, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: OpenLDAP + Kerberos +smbldap-tools

  1. OpenLDAP + Kerberos +smbldap-tools

    Hi,
    i'm beginning to use kerberos, and I have to make it work with Samba and LDAP.
    I'm trying to use smbldap-tools from Idealx to add my users in LDAP database.
    But when I try to add something with it, i get a answer: "err=8
    text=modifications require authentication".
    Do someone know what is it?
    in my slapd.conf: rootdn=cn=Manager,ou=mga,ou=prpr,o=mpf
    rootpw={KERBEROS}ldapadm@MGA.PRPR.MPF.GOV.BR

    the ticket to ldapadm is valid

    what else should be done?

    thanks
    Luciano Bolonheis

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: OpenLDAP + Kerberos +smbldap-tools

    This is probably a question for the OpenLDAP list, but I'm pretty sure that
    openldap doesn't support kerberos authentication natively, they chose to go
    with SASL instead which supports the GSSAPI method which supports Kerberos 5.
    So I don't think you can use the entry you use for the 'rootpw' directive.

    I set up Kerberos + OpenLDAP for our environment except I wrote my own tools to
    manage users/groups. In my environment I've disabled the rootdn and instead
    enforce GSSAPI authentication using these ACL entries in slapd.conf:

    # Users with /admin principals can change anything
    # Read access for everyone else
    access to *
    by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
    by * read

    So then if you have a valid Kerberos ticket and you have SASL with GSSAPI
    method and you have SASL compiled into OpenLDAP, you should be good to go.
    Check to see what SASL authentication methods your LDAP server supports with
    the following command:

    ldapsearch -H ldap://localhost -x -b "" -s base -LLL supportedSASLMechanisms

    If GSSAPI isn't listed, then SASL isn't installed correctly, wasn't compiled
    with the GSSAPI method, and/or OpenLDAP isn't compiled with SASL support.

    If everything is set up properly, I think you can use {SASL} instead of
    {KERBEROS} for the rootpw entry but I'm not sure.

    Hope this helps,

    -Michael



    I'm going to take a shot in the dark on this

    --- Luciano Bolonheis wrote:

    > Hi,
    > i'm beginning to use kerberos, and I have to make it work with Samba and
    > LDAP.
    > I'm trying to use smbldap-tools from Idealx to add my users in LDAP database.
    > But when I try to add something with it, i get a answer: "err=8
    > text=modifications require authentication".
    > Do someone know what is it?
    > in my slapd.conf: rootdn=cn=Manager,ou=mga,ou=prpr,o=mpf
    > rootpw={KERBEROS}ldapadm@MGA.PRPR.MPF.GOV.BR
    >
    > the ticket to ldapadm is valid
    >
    > what else should be done?
    >
    > thanks
    > Luciano Bolonheis
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread