Hi, I'm fairly new to the world of LDAP/OpenLDAP (as well as Kerberos and SASL ;) so excuse me if I make a mistake. I've setup Kerberos (which works, as far as I can tell -- I can get a ticket, etc.) and can fully run the cyrus-sasl2 sample-server/sample-client suite, which is proof it works, I guess. When I come to getting OpenLDAP21 to use Kerberos to authenticate, I run into trouble. My directory (for testing) is simple: dn: dc=lewiz,dc=org dc: lewiz objectClass: top objectClass: domain dn: ou=People,dc=lewiz,dc=org ou: People objectClass: top objectClass: organizationalUnit dn: uid=lewiz,ou=People,dc=lewiz,dc=org uid: lewiz cn: Lewis Thompson objectClass: account objectClass: top objectClass: krb5Principal krb5PrincipalName: lewiz@LEWIZ.ORG and I also have the following in my slapd.conf: sasl-realm LEWIZ.ORG sasl-host ldap.lewiz.org sasl-regexp uid=(.*),cn=lewiz.org,cn=gssapi,cn=auth uid=$1,ou=People,dc=lewiz,dc=org As I said, I'm new to this, but I believe the sasl-regexp matches up the provided details to the actual entry (from the Administration Guide (http://www.openldap.org/devel/admin/sasl.html)). Anyhow, I can successfully get a ticket with ``kinit lewiz'', but when I try and do a simple: ldapsearch -I I receive the following: SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context In my log file I get the following (loglevel 2): Jul 27 01:50:42 orange slapd[61641]: connection_get(12) Jul 27 01:50:43 orange last message repeated 2 times Jul 27 01:50:43 orange slapd[61641]: SRCH "" 0 0 Jul 27 01:50:43 orange slapd[61641]: 0 0 0 Jul 27 01:50:43 orange slapd[61641]: filter: (objectClass=*) Jul 27 01:50:43 orange slapd[61641]: attrs: Jul 27 01:50:43 orange slapd[61641]: supportedSASLMechanisms Jul 27 01:50:43 orange slapd[61641]: Jul 27 01:50:43 orange slapd[61641]: send_ldap_result: err=0 matched="" text="" Jul 27 01:50:44 orange slapd[61641]: connection_get(12) Jul 27 01:50:44 orange slapd[61641]: ==> sasl_bind: dn="" mech=GSSAPI datalen=542 Jul 27 01:50:44 orange slapd[61641]: GSSAPI Failure: gss_accept_sec_context Jul 27 01:50:44 orange slapd[61641]: send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context" Jul 27 01:50:44 orange slapd[61641]: connection_get(12) also, Kerberos logs show: 2003-07-27T02:50:44 TGS-REQ lewiz@LEWIZ.ORG from IPv4:192.168.0.2 for ldap/orange.lewiz.org@LEWIZ.ORG so the ticket is definitely being checked, or something like that. Furthermore, I have ldap/orange.lewiz.org in the keytab slapd is running on. I've been unable to find much detail on the error (in fact, it doesn't even appear to be an error) and /any/ help would be greatly appreciated! Thanks very much, -lewiz. -- If you took all the students that felt asleep in class and laid them end to end, they'd be a lot more comfortable. -- "Graffiti in the Big Ten" ------------------------------------------------------------------------ -| msn:purple@lewiz.net | jab:lewiz@jabber.org | url:http://lewiz.net |-
Attachment:
pgp5BF4YTmFf2.pgp
Description: PGP signature