[Date Prev][Date Next] [Chronological] [Thread] [Top]

GSSAPI : Can't find mistake ...



Hi,

i'm trying to install openldap 2.1.8 with GSSAPI-authentication.

My system :

Red Hat Linux 7.1
Kernel 2.4.19
openssl 0.9.6g
cyrus-sasl 2.1.9
heimdal kerberos 0.51
berkeleydb 4.0.14
openldap 2.1.8

Cyrus SASL is running, the sample server/clients too ...

Installed heimdal,
service key is ldap/myserver.mydomain@WEBSERVICES
principal is 44857@WEBSERVICES

klist output is :
---snipp---
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: 44857@WEBSERVICES

  Issued           Expires          Principal                               
    
Oct 31 14:21:41  Nov  1 00:21:41  krbtgt/WEBSERVICES@WEBSERVICES            
    
Oct 31 14:21:58  Nov  1 00:21:41ldap/myserver.mydomain@WEBSERVICES 
---snipp---

So, i'm tryin the following,
first anonymous :

---snipp---
[root@myserver.mydomain]# /usr/local/ldap-2.1.x/bin/ldapsearch -b "" -s base
-H "ldaps://myserver.mydomain"  -x -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

[root@myserver.mydomain]#

---snipp---

You see, it works  ...
Now with GSSAPI  :

---snipp---
[root@myserver.mydomain etc]# /usr/local/ldap-2.1.x/bin/ldapsearch -b "" -s
base
-H "ldaps://myserver.mydomain" -Y GSSAPI -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
[root@myserver.mydomain etc]#
---snipp---

You see, it doesn`t work ..

This is my configuration (partly):
---snipp---
TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCertificateFile /usr/local/ldapcert/ldapcert.pem
TLSCertificateKeyFile /usr/local/ldapcert/ldapkey.pem
TLSCACertificateFile /usr/local/ldapcert/cacert.pem

# SASL-authentification
srvtab     /etc/krb5.keytab
sasl-host  fra10000144.srv.fra.fraport.de
sasl-realm WEBSERVICES

saslRegexp
  uid=(.*),cn=WEBSERVICES,cn=GSSAPI,cn=auth
  uid=$1,ou=users,o=webservices,dc=my,dc=domain

lastmod         on
database        ldbm
suffix            "dc=my,dc=domain"
directory       /usr/local/ldap-2.1.x/var/openldap-data
include         /usr/local/ldap-2.1.x/etc/slapd.rootaccount
# Index Definition
index objectClass,uid,uidNumber,gidNumber,memberUid,ou eq 

access to *
   by dn="uid=.*,ou=users,o=webservices,dc=my,dc=domain" write
   by dn="uid=admin,ou=users,o=webservices,dc=my,dc=domain" write
   by * read 

---snipp---

So, i think this is "wellformed", can someone give
me a hint, what's wrong ?


greets Harry

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!