[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP2 and SASL/Kerberos
Even more investigation reviles that the sample-{server|client} from
Cyrus-SASL does NOT work!
----- s n i p -----
CHROOT:/tmp/sample# ./sample-server -s ldap -p /usr/lib/sasl
Generating client mechanism list...
Sending list of 4 mechanism(s)
S: UExBSU4gTE9HSU4gQU5PTllNT1VTIEdTU0FQSQ==
Waiting for client mechanism...
C: R1NTQVBJAGCCAhUGCSqGSIb3EgECAgEAboICBDCCAgCgAwIBBaEDAgEOogcDBQAgAAAAo4IBJGGCASAwggEcoAMCAQWhDBsKQkFZT1VSLkNPTaIlMCOgAwIBA6EcMBobBGxkYXAbEnBhcGFkb2MuYmF5b3VyLmNvbaOB3zCB3KADAgEQoQMCAQKigc8Egczzq7bGtNEyE0DkBceUEVo2bGHpOK57xP3rU2IM8Tf4Q9qCNR/1TVvZLXbiCHJUcYH2mQ2GYNkCQY1lxdkf7BggiRmMMII8xxcMJ9c+2vXkHL246tbzlVTALb+8mVp71B4vIKvDv8L/m552tP2KSPUSVRgDNOTsRAp2OYhAy+52XAZv3DG+K2n54VqTPtDMo5G6geGPjXI6LhVcMmlMKMvZ14rAn+urTQNSPeGNWaO6NMNYkFmQPkIRgzxXbBI1MzEFQqwkc5UybU7RmwmkgcIwgb+gAwIBEKKBtwSBtASOfxgeFRzgIIRDayTT6KQGMA0u/MUv7Kb1TJo2gQ8FfDwfSCC+aCTv8YBv2K84UGTzwNun3HbvLdtMftAOO1tA+IF2SiHL6yl2f+Q7Qyv+IuRtlxQozaWr3HdU1RjiYUA2WdM1DU2dVnRk/Q2Br2ryi6k526obRNpMWRGcHV48ybCKIl43nUl84zRMqcUB1kl/wz+lPpSrWFgSBEe1iCvtwPMq5vzvSHirLZhFh3IvA9SN8A==
got 'GSSAPI'
lt-sample-server: Starting SASL negotiation: generic failure (GSSAPI: gss_acquire_cred: Miscellaneous failure; No principal in keytab matches desired name; )
----- s n i p -----
----- s n i p -----
CHROOT:/tmp/sample# ./sample-client -s ldap -u root -a root -p /usr/lib/sasl -n papadoc.bayour.com
service=ldap
Waiting for mechanism list from server...
S: UExBSU4gTE9HSU4gQU5PTllNT1VTIEdTU0FQSQ==
Choosing best mechanism from: PLAIN LOGIN ANONYMOUS GSSAPI
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAhUGCSqGSIb3EgECAgEAboICBDCCAgCgAwIBBaEDAgEOogcDBQAgAAAAo4IBJGGCASAwggEcoAMCAQWhDBsKQkFZT1VSLkNPTaIlMCOgAwIBA6EcMBobBGxkYXAbEnBhcGFkb2MuYmF5b3VyLmNvbaOB3zCB3KADAgEQoQMCAQKigc8Egczzq7bGtNEyE0DkBceUEVo2bGHpOK57xP3rU2IM8Tf4Q9qCNR/1TVvZLXbiCHJUcYH2mQ2GYNkCQY1lxdkf7BggiRmMMII8xxcMJ9c+2vXkHL246tbzlVTALb+8mVp71B4vIKvDv8L/m552tP2KSPUSVRgDNOTsRAp2OYhAy+52XAZv3DG+K2n54VqTPtDMo5G6geGPjXI6LhVcMmlMKMvZ14rAn+urTQNSPeGNWaO6NMNYkFmQPkIRgzxXbBI1MzEFQqwkc5UybU7RmwmkgcIwgb+gAwIBEKKBtwSBtASOfxgeFRzgIIRDayTT6KQGMA0u/MUv7Kb1TJo2gQ8FfDwfSCC+aCTv8YBv2K84UGTzwNun3HbvLdtMftAOO1tA+IF2SiHL6yl2f+Q7Qyv+IuRtlxQozaWr3HdU1RjiYUA2WdM1DU2dVnRk/Q2Br2ryi6k526obRNpMWRGcHV48ybCKIl43nUl84zRMqcUB1kl/wz+lPpSrWFgSBEe1iCvtwPMq5vzvSHirLZhFh3IvA9SN8A==
Waiting for server reply...
----- s n i p -----
However, and what fooled me was that service (-s) = 'host' worked like a charm!
----- s n i p -----
CHROOT:/tmp/sample# kadmin -p turbo@BAYOUR.COM
Authenticating as principal turbo@BAYOUR.COM with password.
Enter password:
kadmin: getprincs
K/M@BAYOUR.COM
admin/admin@BAYOUR.COM
ftp/papadoc.bayour.com@BAYOUR.COM
host/papadoc.bayour.com@BAYOUR.COM
kadmin/admin@BAYOUR.COM
kadmin/changepw@BAYOUR.COM
kadmin/history@BAYOUR.COM
krbtgt/BAYOUR.COM@BAYOUR.COM
ldap/localhost@BAYOUR.COM
ldap/papadoc.bayour.com@BAYOUR.COM
mounthome/papadoc.bayour.com@BAYOUR.COM
pam_migrate/papadoc.bayour.com@BAYOUR.COM
root@BAYOUR.COM
turbo@BAYOUR.COM
----- s n i p -----
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden