[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "Invalid Credentials" with Heimdal and Cyrus SASL

* Kurt D. Zeilenga <Kurt@OpenLDAP.org> [030228 13:11]:
> At 12:45 PM 2/28/2003, Ben Poliakoff wrote:
> >I get the same results (Invalid credentials) if I specify a dn with
> >which to bind.  
> 
> I'm sorry but... if you are doing SASL/GSSAPI, why are you
> specifying a DN in which to bind to?  Generally, one should
> not specify either a bind name (nor a SASL authorization
> identity) when attempt a SASL bind.

I specified a DN after earlier SASL binds had failed.  Thanks for
pointing out that specifying a DN in a SASL context is wrong.  I hadn't
picked up on that.

> And before you attempt an ldapsearch(1), I suggest you make
> sure that ldapwhoami(1) is returning what you expect to be
> the LDAP authorization DN.

ldapwhoami reports the same error:

    [benp@thingone benp]$ ldapwhoami
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Invalid credentials (49)
            additional info: SASL(-13): authentication failure: GSSAPI
    Failure: gss_accept_sec_context`

But ldapwhoami and ldapsearch both get me an ldap service ticket:

    Ticket cache: FILE:/tmp/krb5cc_25022_61taT9
    Default principal: benp@REED.EDU

    Valid starting     Expires            Service principal
    03/03/03 16:51:05  03/04/03 02:51:05  krbtgt/REED.EDU@REED.EDU
    03/03/03 16:53:14  03/04/03 02:51:05  ldap/thingone.reed.edu@REED.EDU

Ben

-- 
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp@reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019