[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP2 and SASL/Kerberos

[I'm still waiting for my subscription to the cyrus-sasl list to come
through, so in the meantime I send it here, with a Cc that I hope will
work]

This wasn't an easy task, that's for sure! I'm having trouble gluing all the
pieces together, even though they work just fine on there own.

To re-cap:
On the machine I'm running the following software:
        MIT KerberosV   (v1.2.1)
        OpenLDAP1       (v1.2.11)
        Cyrus SASL      (v1.5.24)

        Using pam_ldap and pam_krb5 to authenticate my users works fine.
        I'm able to verify passwords against the kerberos database, and
        changing passwords and using ktelnet/krsh/kftpd etc works.

On a 'full' install of Debian GNU/Linux in a chroot, I'm running this
software:
        Cyrus SASL      (v1.5.24)
        OpenLDAP2       (v2.0.7)

        Exact copy of the OpenLDAP1 database from outside the chroot is
        loaded, using ldbmcat/slapadd.

        Using simple binds works, both as anonymous and as the 'old'
        admin DN. Both with/without TLS, but not SSL (see other thread).


==>  The rest of this is done in the chroot <==


Trying to use SASL bind with ldapsearch don't work.

Since the KDC is running on localhost (but outside the chroot) i never
bothered with  a key tab.  The SASL test  software didn't work  until I
copied  the key tab  from outside  the chroot  to /etc.   This  I don't
like, but...

Without running kinit, I get the error:
----- s n i p -----
CHROOT:~# ldapsearch -I -b 'dc=com' -p 3389 -h localhost -ZZ dn -v
ldap_init( localhost, 3389 )
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: root@BAYOUR.COM
ldap_sasl_interactive_bind_s: Local error
----- s n i p -----

It would be nice to have something else than just 'Local error', but I
understand that this is a problem with SASL not returning correct values
or something like that (I have a vague memory about reading something like
that in the cyrus-sasl listarchive)

And after running kinit:
----- s n i p -----
CHROOT:~# kinit 
Password for root@BAYOUR.COM: 
CHROOT:~# ldapsearch -I -b 'dc=com' -p 3389 -h localhost -ZZ dn -v
ldap_init( localhost, 3389 )
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: root@BAYOUR.COM
ldap_sasl_interactive_bind_s: Unknown error
        additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure; No principal in keytab matches desired name; 
----- s n i p -----
(removing -ZZ from the ldapsearch lines above give the same problem)

According to klist, I have a ticket...
----- s n i p -----
CHROOT:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: root@BAYOUR.COM

Valid starting     Expires            Service principal
03/06/01 12:27:06  03/06/01 22:27:06  krbtgt/BAYOUR.COM@BAYOUR.COM
03/06/01 12:27:16  03/06/01 22:27:06  ldap/papadoc.bayour.com@BAYOUR.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
----- s n i p -----

In slapd.conf I have the following options:
----- s n i p -----
sasl-realm              "BAYOUR.COM"
sasl-secprops           none
----- s n i p -----
(I'm not quite sure what 'sasl-secprops' do, but I found that example on
the openldap-software list a couple of weeks ago...)

The '/etc/hosts' are the same in both the chroot as outside it, and so
are the '/etc/krb5.conf' file. As said above, the file '/etc/krb5.keytab'
are also the same.

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden