[Date Prev][Date Next] [Chronological] [Thread] [Top]

difficulties running slapd as non-root and sasl



I can only use sasl-gssapi with openldap if I run slapd as root.
If I run it as a regular user (ldap), sasl-gssapi won't work,
even with a world-readable /etc/krb5.keytab. I get different
errors:

This happens with a 0600 krb5.keytab which slapd can't read. That's expected.
$ ldapsearch  -LLL uid=bla 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Unknown error
        additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied; 

Now I have a 666 krb5.keytab file, just for testing:
$ ldapsearch  -LLL uid=bla
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Unknown error
        additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied in replay cache code; 

If I run slapd as root, then it works... (and yes, /etc/openldap/slapd.conf is
readable by the ldap user).

Any clues?