ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
Dan White
dwhite at olp.net
Sat Aug 16 01:43:17 EDT 2008
Chavez, James R. wrote:
> If you do not mind I have another question? I can not get an answer on
> any lists but I think I am on the right track..
> I have all my users in my openldap directory with their usernames or
> uid's in the unix 8 character format of first initial of the first name
> and then 7 characters of last name. So for example jmontana. These I
> migrated from our NIS domain into the directory. I can authenticate
> fine. The issue is the powers that be want everything joined to Active
> Directory. The AD user account principals are in the format of
> firstname_lastname or joe_montana. They do not match the naming format
> of the ldap uid's. It is worth mentioning that if I rename the unix or
> ldap uid to first_last I can login perfectly using kerberos credentials
> but I would rather map the uids to stay consistent with unix naming
> scheme..
>
> I need to login and authenticate with the kerberos credentials and have
> those map to the 8 character unix or ldap uid's.
> Now the reason I wanted to use gssapi is because it mentions the use of
> authz-regexp to map the authentication DN from the gssapi dn to a dn
> existing in the directory unless I am misunderstanding.
>
> When I issue an ldapwhoami, I get the following.
> dn: uid=joe_montana,dc=gssapi,dc=auth ......
>
> But an ldapwhoami should map to.
> uid=jmontana,ou=people,dc=example,dc=com ........
>
> For logging in can cyrus-sasl-gssapi help me accomplish this? Or is it
> more for service principals? Trying to understand.
>
I'm not exactly clear on what your end result is going to be, but there
are a couple of ways I can think of to accomplish the authz-regexp match.
If the usernames are strict and always follow the same format, you
should be able to do:
authz-regexp "uid=(.).*_(.......),cn=gssapi,cn=auth"
uid=$1$2,ou=people,dc=example,dc=com
Although the sasl mechanism doesn't necessarily need to be gssapi. You
can use any mechanism.
Or you can add an attribute within your ldap entries, such as 'altUID'
(this is made up) which contains the long-name format, and then use an
internal search to find the appropriate entry:
authz-regexp "uid=$1,cn=gssapi,cn=auth"
ldap:///ou=people,dc=example,dc=com??one?(altUid=$1)
Where your entry would resemble
dn: uid=jmontana,ou=people,dc=example,dc=com
...
altUid: joe_montana
- Dan
More information about the Cyrus-sasl
mailing list