I wrote to the list last month describing some trouble I've been having getting proper SASL/GSSAPI authentication to work with a new OpenLDAP installation. Unfortunately I haven't made a lot of headway since then. In a nutshell: openldap-2.1.16 cyrus-sasl-2.1.12 db-4.1.25 heimdal-20030224 Non SASL anonymous binds work just fine (lookups from various addressbooks and from GQ are very quick and trouble free), but when I try to do a SASL bind (via ldapwhoami for instance) I get the following: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context slapd is running as root currently, so it has access to /etc/krb5.keytab (which contains a principal with the correct kvno for the host). The client (in this case ldapwhoami) gets a service ticket for that principal, but fails with the above error. My openldap ldap.conf file is pretty simple: BASE dc=reed,dc=edu ldap://thingone.reed.edu SIZELIMIT 700 TIMELIMIT 150 DEREF never My slapd.conf sasl configs look like this: srvtab /etc/krb5.keytab sasl-realm REED.EDU sasl-host thingone.reed.edu sasl-regexp "uid=\(.*\),cn=reed.edu,cn=gssapi,cn=auth" "uid=$1,ou=Person,dc=reed,dc=edu" I've run slapd with -5 debug which generated a lot of info, but I'm not sure it would be good etiquette to attach that to this message since it's rather large. I'm really looking foward to doing a lot of work with OpenLDAP, but for now I stuck since I can't authenticate.... Does anyone have any suggestions about how I might further pursue this problem? Would this be a better question for the sasl list? Ben P.S. Will summarize in detail when this problem is resolved. -- --------------------------------------------------------------------------- Ben Poliakoff email: <benp@reed.edu> Reed College tel: (503)-788-6674 Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html --------------------------------------------------------------------------- 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
Attachment:
pgpKcEmUuqBox.pgp
Description: PGP signature