[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: "Invalid Credentials" with Heimdal and Cyrus SASL



Make sure your slapd has access to read the keytab file. Make sure your
keytab file actually contains a key for the ldap principal. Turn up the debug
level on slapd and see what else it complains about, if anything, during the
GSSAPI sequence.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ben Poliakoff

> Having been directed towards Heimdal instead of the MIT krb5 libs I'm
> now having a different problem with GSSAPI binds.  Slapd is no longer
> seg faulting (thank heavens!), but when I try a GSSAPI bind with
> ldapsearch I get:
>
>     SASL/GSSAPI authentication started
>     ldap_sasl_interactive_bind_s: Invalid credentials (49)
>             additional info: SASL(-13): authentication failure: GSSAPI
>     Failure: gss_accept_sec_context
>
> Heimdal seems to be installed properly (per Quanah's recommendation,
> it's a snapshot from CVS) , and indeed I can get and have tickets.
> Heimdal's klist gives me this:
>
>     Credentials cache: FILE:/tmp/krb5cc_25022_t4AWP0
>             Principal: benp@REED.EDU
>
>       Issued           Expires          Principal
>     Feb 28 12:29:33  Feb 28 19:09:33  krbtgt/REED.EDU@REED.EDU
>     Feb 28 12:31:37  Feb 28 19:09:33  ldap/MYSERVER.reed.edu@REED.EDU
>
> I get the same results (Invalid credentials) if I specify a dn with
> which to bind.
>
> Might this be sasl regex related?  My sasl-regex lines in slapd.conf
> look like:
>
>     sasl-regexp
>             uid=(.*),cn=reed.edu,cn=gssapi,cn=auth
>             uid=$1,ou=Person,dc=reed,dc=edu
>
> I found what appeared to be someone with the same problem
> earlier on the
> list, but the thread went nowhere:
>
>
http://www.openldap.org/lists/openldap-software/200302/msg00591.html

Any suggestions would be very much appreciated!

Ben

--
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp@reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019