In case someone ends up with the same problem in the future, it appears
that in the regex string you must escape the ( and ) with \, and the
realm should be excluded from the regex if both the server and client
are using the same realm...
example: make the regex \(.*\)/admin not \(.*\)/admin@.*
-Rob
Richard Megginson wrote:
Rob See wrote:
> Hi,
>
> I'm working on getting SASL up and running with FDS 1.0.2 and have
> run into some problems. It seems that the SASL Mappings are being
> completely ignored.
>
> Here is my setup:
>
> Kerberos domain of
SUB.BLAH.EDU
> Ldap entry for uid=rob,ou=People,dc=sub,dc=blah,dc=edu
>
> This is the map entry (the only map entry that I have):
>
> # map1, mapping, sasl, config
> dn: cn=map1,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: map1
> nsSaslMapRegexString: (.*)/admin@.*
> nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=sub,dc=blah,dc=edu
> nsSaslMapFilterTemplate: (objectclass=*)
>
> I've restarted the service which doesn't seem to fix it.
>
> When I kinit with rob/admin, running ldapsearch -Y GSSAPI gets the
> following error:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-14): authorization failure:
>
> when I kinit with rob, it works without a problem
>
> Does anyone have any suggestions, or have I run into a bug of some
> sort ?
Does this help? -
http://directory.fedora.redhat.com/wiki/Howto:Kerberos
>
> Also is there any way to turn up the log level to get more info ?
Sure. You can use the TRACE level in the error log.
>
> Thanks,
> -Rob
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:446b8cb0247181471131949!
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:446b8cb0247181471131949!