[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
GSSAPI : Can't find mistake ...
Hi,
i'm trying to install openldap 2.1.8 with GSSAPI-authentication.
My system :
Red Hat Linux 7.1
Kernel 2.4.19
openssl 0.9.6g
cyrus-sasl 2.1.9
heimdal kerberos 0.51
berkeleydb 4.0.14
openldap 2.1.8
Cyrus SASL is running, the sample server/clients too ...
Installed heimdal,
service key is ldap/myserver.mydomain@WEBSERVICES
principal is 44857@WEBSERVICES
klist output is :
---snipp---
Credentials cache: FILE:/tmp/krb5cc_0
Principal: 44857@WEBSERVICES
Issued Expires Principal
Oct 31 14:21:41 Nov 1 00:21:41 krbtgt/WEBSERVICES@WEBSERVICES
Oct 31 14:21:58 Nov 1 00:21:41ldap/myserver.mydomain@WEBSERVICES
---snipp---
So, i'm tryin the following,
first anonymous :
---snipp---
[root@myserver.mydomain]# /usr/local/ldap-2.1.x/bin/ldapsearch -b "" -s base
-H "ldaps://myserver.mydomain" -x -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
[root@myserver.mydomain]#
---snipp---
You see, it works ...
Now with GSSAPI :
---snipp---
[root@myserver.mydomain etc]# /usr/local/ldap-2.1.x/bin/ldapsearch -b "" -s
base
-H "ldaps://myserver.mydomain" -Y GSSAPI -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
[root@myserver.mydomain etc]#
---snipp---
You see, it doesn`t work ..
This is my configuration (partly):
---snipp---
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/ldapcert/ldapcert.pem
TLSCertificateKeyFile /usr/local/ldapcert/ldapkey.pem
TLSCACertificateFile /usr/local/ldapcert/cacert.pem
# SASL-authentification
srvtab /etc/krb5.keytab
sasl-host fra10000144.srv.fra.fraport.de
sasl-realm WEBSERVICES
saslRegexp
uid=(.*),cn=WEBSERVICES,cn=GSSAPI,cn=auth
uid=$1,ou=users,o=webservices,dc=my,dc=domain
lastmod on
database ldbm
suffix "dc=my,dc=domain"
directory /usr/local/ldap-2.1.x/var/openldap-data
include /usr/local/ldap-2.1.x/etc/slapd.rootaccount
# Index Definition
index objectClass,uid,uidNumber,gidNumber,memberUid,ou eq
access to *
by dn="uid=.*,ou=users,o=webservices,dc=my,dc=domain" write
by dn="uid=admin,ou=users,o=webservices,dc=my,dc=domain" write
by * read
---snipp---
So, i think this is "wellformed", can someone give
me a hint, what's wrong ?
greets Harry
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!