ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

Dan White dwhite at olp.net
Sat Aug 16 01:43:17 EDT 2008


Chavez, James R. wrote:
> If you do not mind I have another question? I can not get an answer on
> any lists but I think I am on the right track..
> I have all my users in my openldap directory with their usernames or
> uid's in the unix 8 character format of first initial of the first name
> and then 7 characters of last name. So for example jmontana. These I
> migrated from our NIS domain into the directory. I can authenticate
> fine. The issue is the powers that be want everything joined to Active
> Directory. The AD user account principals are in the format of
> firstname_lastname or joe_montana. They do not match the naming format
> of the ldap uid's. It is worth mentioning that if I rename the unix or
> ldap uid to first_last I can login perfectly using kerberos credentials
> but I would rather map the uids to stay consistent with unix naming
> scheme..
>  
> I need to login and authenticate with the kerberos credentials and have
> those map to the 8 character unix or ldap uid's.
> Now the reason I wanted to use gssapi is because it mentions the use of
> authz-regexp to map the authentication DN from the gssapi dn to a dn
> existing in the directory unless I am misunderstanding.
>
> When I issue an ldapwhoami, I get the following.
> dn: uid=joe_montana,dc=gssapi,dc=auth ......
>
> But an ldapwhoami should map to. 
> uid=jmontana,ou=people,dc=example,dc=com ........
>
> For logging in can cyrus-sasl-gssapi help me accomplish this? Or is it
> more for service principals? Trying to understand.
>   

I'm not exactly clear on what your end result is going to be, but there 
are a couple of ways I can think of to accomplish the authz-regexp match.

If the usernames are strict and always follow the same format, you 
should be able to do:

authz-regexp "uid=(.).*_(.......),cn=gssapi,cn=auth"
    uid=$1$2,ou=people,dc=example,dc=com

Although the sasl mechanism doesn't necessarily need to be gssapi. You 
can use any mechanism.

Or you can add an attribute within your ldap entries, such as 'altUID' 
(this is made up) which contains the long-name format, and then use an 
internal search to find the appropriate entry:

authz-regexp "uid=$1,cn=gssapi,cn=auth"
    ldap:///ou=people,dc=example,dc=com??one?(altUid=$1)
   

Where your entry would resemble

dn: uid=jmontana,ou=people,dc=example,dc=com
...
altUid: joe_montana

- Dan


More information about the Cyrus-sasl mailing list