Hi! I kerberized ldap: dn: cn=config objectClass: olcGlobal cn: config olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth uid=$1,ou=Users,dc=example,dc=com olcSaslHost: srv.example.com olcSaslRealm: EXAMPLE.COM
In /etc/ldap/ldap.conf: BASE dc=example,dc=com URI ldap://srv.example.com SASL_MECH GSSAPI In /etc/ldap.conf base dc=example,dc=com uri ldap://srv.example.com ldap_version 3 rootbinddn cn=adm,dc=example,dc=com pam_password md5 I now try to connect to my ldap server: client:~$ kinit user Password for [email protected]: client:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 01/21/11 11:32:03 01/21/11 21:32:03 krbtgt/[email protected] renew until 01/22/11 11:31:58 client:~$ ldapsearch -H ldap://srv.example.com SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database client:~$ ldapsearch -D uid=user,dc=example,dc=com -H ldap://srv.example.com ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed The user in question exists: dn: cn=user user,ou=Users,dc=example,dc=com givenName: user sn: user cn: user user uid: user objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/user loginShell: /bin/zsh Any idea what is wrong? As far as I see: I do have a tgt and thus I shall be authenticated. But I am not granted access! Any idea why? -- Thomas
