Hi Richard,
I should have probably provided more detail. I followed the HOWTO:kerberos and entered
the config - sasl - mapping as it explained, namely:
dn: cn=mapname,cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: mapname
nsSaslMapRegexString: \(.*\)(a)\(.*\)
nsSaslMapBaseDNTemplate: uid=\1,dc=myexample,dc=com
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
And that poduces the same SASL GSSAPI errors as in the last post. The link on that HOWTO
that points to the SASL configurations shows the other configuraton paramaters (the ones
that I also tried and posted in my last message). The install isa standard
user(a)mydomain.com so you're probably correct and I've canged that entry to the
above settings.
The SASL documenation:
Configuring SASL Identity Mapping from the Console
In the Console, open the Directory Server.
Open the "Configuration" tab.
Select the "SASL Mapping" tab.
To add new SASL identities, select the "Add" button, and fill in the required
values.
The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it
wasn't clear if this was required or not. Can you confirm? If it is required, what
would the fields be filled with - do we need to link to the dn:
cn=mapname,cn=mapping,cn=sasl,cn=config above?
Also, because the service principal that FDS is going to use is
ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to
work...such as:
dn: cn=mapname2,cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: mapname
nsSaslMapRegexString: [^/]+/\(.+\)
nsSaslMapBaseDNTemplate: uid=\1,ou=hosts,dc=myexample,dc=com
nsSaslMapFilterTemplate: .*
Also, I'm not sure if I need all the settings (such as a
sasl_auth_id) but they are left over from configuration of openldap.
What settings?
The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or
SASL on the FDS sites), but they are:
SASL_MECH GSSAPI
SASL_REALM
MYEXAMPLE.COM
use_sasl_on
sasl_auhid
nssldap/myclient.myexample.com
I've tried with and without these settings and I still get the the error: invalid
credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
failure (Permission denied). When I set these, I beleve it is used for default settings
(such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami).
Any thoughts would be appreciated!
Many thanks again,
Jonathan