[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP2 and SASL/Kerberos
[I'm still waiting for my subscription to the cyrus-sasl list to come
through, so in the meantime I send it here, with a Cc that I hope will
work]
This wasn't an easy task, that's for sure! I'm having trouble gluing all the
pieces together, even though they work just fine on there own.
To re-cap:
On the machine I'm running the following software:
MIT KerberosV (v1.2.1)
OpenLDAP1 (v1.2.11)
Cyrus SASL (v1.5.24)
Using pam_ldap and pam_krb5 to authenticate my users works fine.
I'm able to verify passwords against the kerberos database, and
changing passwords and using ktelnet/krsh/kftpd etc works.
On a 'full' install of Debian GNU/Linux in a chroot, I'm running this
software:
Cyrus SASL (v1.5.24)
OpenLDAP2 (v2.0.7)
Exact copy of the OpenLDAP1 database from outside the chroot is
loaded, using ldbmcat/slapadd.
Using simple binds works, both as anonymous and as the 'old'
admin DN. Both with/without TLS, but not SSL (see other thread).
==> The rest of this is done in the chroot <==
Trying to use SASL bind with ldapsearch don't work.
Since the KDC is running on localhost (but outside the chroot) i never
bothered with a key tab. The SASL test software didn't work until I
copied the key tab from outside the chroot to /etc. This I don't
like, but...
Without running kinit, I get the error:
----- s n i p -----
CHROOT:~# ldapsearch -I -b 'dc=com' -p 3389 -h localhost -ZZ dn -v
ldap_init( localhost, 3389 )
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: root@BAYOUR.COM
ldap_sasl_interactive_bind_s: Local error
----- s n i p -----
It would be nice to have something else than just 'Local error', but I
understand that this is a problem with SASL not returning correct values
or something like that (I have a vague memory about reading something like
that in the cyrus-sasl listarchive)
And after running kinit:
----- s n i p -----
CHROOT:~# kinit
Password for root@BAYOUR.COM:
CHROOT:~# ldapsearch -I -b 'dc=com' -p 3389 -h localhost -ZZ dn -v
ldap_init( localhost, 3389 )
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: root@BAYOUR.COM
ldap_sasl_interactive_bind_s: Unknown error
additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure; No principal in keytab matches desired name;
----- s n i p -----
(removing -ZZ from the ldapsearch lines above give the same problem)
According to klist, I have a ticket...
----- s n i p -----
CHROOT:~# klist
Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: root@BAYOUR.COM
Valid starting Expires Service principal
03/06/01 12:27:06 03/06/01 22:27:06 krbtgt/BAYOUR.COM@BAYOUR.COM
03/06/01 12:27:16 03/06/01 22:27:06 ldap/papadoc.bayour.com@BAYOUR.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
----- s n i p -----
In slapd.conf I have the following options:
----- s n i p -----
sasl-realm "BAYOUR.COM"
sasl-secprops none
----- s n i p -----
(I'm not quite sure what 'sasl-secprops' do, but I found that example on
the openldap-software list a couple of weeks ago...)
The '/etc/hosts' are the same in both the chroot as outside it, and so
are the '/etc/krb5.conf' file. As said above, the file '/etc/krb5.keytab'
are also the same.
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden