[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/GSSAPI authentication problems - Invalid credentials

To: Ben Poliakoff <benp@reed.edu>
Subject: Re: SASL/GSSAPI authentication problems - Invalid credentials
From: Chris Maxwell <source@gateweaver.com>
Date: 28 Apr 2003 20:10:12 -0400
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20030428233337.GA19094@tesuji.reed.edu>
References: <20030428233337.GA19094@tesuji.reed.edu>

On Mon, 2003-04-28 at 19:33, Ben Poliakoff wrote:
> I wrote to the list last month describing some trouble I've been having
> getting proper SASL/GSSAPI authentication to work with a new OpenLDAP
> installation.  Unfortunately I haven't made a lot of headway since then.
> 
> In a nutshell:
> 
>     openldap-2.1.16
>     cyrus-sasl-2.1.12
>     db-4.1.25
>     heimdal-20030224
> 
> Non SASL anonymous binds work just fine (lookups from various
> addressbooks and from GQ are very quick and trouble free), but when I
> try to do a SASL bind (via ldapwhoami for instance) I get the following:
> 
>     SASL/GSSAPI authentication started
>     ldap_sasl_interactive_bind_s: Invalid credentials (49)
>             additional info: SASL(-13): authentication failure: GSSAPI
>     Failure: gss_accept_sec_context
> 

Did you test SASL to ensure it is talking to heimdal properly?

in one shell:
saslauthd -a kerberos5 -d -m <mux path>

in another:
testsaslauthd -u username -p password -r REALM -s ldap -f <mux path>

KDC logs are also a good place to look, since invalid credentials means
just that ... that Openldap appears to be working correctly.

> slapd is running as root currently, so it has access to /etc/krb5.keytab
> (which contains a principal with the correct kvno for the host).  The
> client (in this case ldapwhoami) gets a service ticket for that
> principal, but fails with the above error.
> 
> My openldap ldap.conf file is pretty simple:
> 
>     BASE    dc=reed,dc=edu
>     ldap://thingone.reed.edu
>     SIZELIMIT       700
>     TIMELIMIT       150
>     DEREF           never
> 
> My slapd.conf sasl configs look like this:
> 
>     srvtab          /etc/krb5.keytab
>     sasl-realm      REED.EDU
>     sasl-host       thingone.reed.edu
> 
>     sasl-regexp
>             "uid=\(.*\),cn=reed.edu,cn=gssapi,cn=auth"
>             "uid=$1,ou=Person,dc=reed,dc=edu"
> 
> I've run slapd with -5 debug which generated a lot of info, but I'm not
> sure it would be good etiquette to attach that to this message since
> it's rather large.
> 
> I'm really looking foward to doing a lot of work with OpenLDAP, but for
> now I stuck since I can't authenticate....
> 
> Does anyone have any suggestions about how I might further pursue this
> problem?  Would this be a better question for the sasl list?
> 
> Ben
> 
> P.S.  Will summarize in detail when this problem is resolved.
> 
> -- 
> ---------------------------------------------------------------------------
> Ben Poliakoff                                       email: <benp@reed.edu>
> Reed College                                          tel:  (503)-788-6674
> Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
> ---------------------------------------------------------------------------
> 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019
>

Follow-Ups:
- Re: SASL/GSSAPI authentication problems - Invalid credentials
  - From: Ben Poliakoff <benp@reed.edu>

References:
- SASL/GSSAPI authentication problems - Invalid credentials
  - From: Ben Poliakoff <benp@reed.edu>

Prev by Date: Re: SASL/GSSAPI authentication problems - Invalid credentials
Next by Date: directoryString
Index(es):
- Chronological
- Thread