[Date Prev][Date Next] [Chronological] [Thread] [Top]

openLDAP/SASL/KerberosV(heimdal)



Hello,

I am having trouble with GSSAPI.  I can authenticate and work locally,
but whenever I attempt to ldapsearch from another box, it fails.

I tested the kerberosV to ensure it is working (using ktelnet).  The
sample-server and sample-client properly talk GSSAPI as well.

It seems to be acting as if there were no local ticket issued by
kerberos, yet other kerberized apps work fine.

Any help would be greatly appreciated

--chris
cmaxwell@themanor.net


slapd.conf: (highlights only)
	sasl-host       machineB.domain.tld
	sasl-realm      DOMAIN.TLD
	access to * 
	        by users write
	        by anonymous read
	        by * read
	rootdn          "uid=root@DOMAIN.TLD"

Two machines.  Both are openBSD 3.2 boxes, running OpenLDAP 2.0.27, and
Cyrus-SASL 1.5.27.  KerberosV is heimdal.

Machine B is the kerberosV keyserver, and openldap server.

Machine A is a kerberosV client (using machineB as its kdc), and has a
test openldap server installed locally to ensure SASL is working
correctly (for a baseline).

---

[local] When I run ldapsearch from machine-B (to machine-B), the request
works, initializes SASL, and returns "GSSAPI" as the supported
mechanism.

[local]When I run ldapsearch from machine-A (to machine-A), the request
works, initializes SASL, etc.

[remote]When I run ldapsearch from machine-A (to machine-B), the request
fails!
	ldap_sasl_interactive_bind_s: Local error

Machine "B":
  192.168.0.232
  -KDC
  -OpenLDAP server

Before Running "kinit" (for reference)
/usr/local/bin/ldapsearch -Y GSSAPI -H ldap://<machineB> -b '' -s base
-LLL supportedSASLMechanisms
	ldap_sasl_interactive_bind_s: Local error

After Running "kinit"
	SASL/GSSAPI authentication started
	SASL SSF: 56
	SASL installing layers
	dn:
	supportedSASLMechanisms: GSSAPI