[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP with GSSAPI problem
Quoting "Shaick" <shaick_mlist1@lycos.co.uk>:
> Hello Turbo,
>
> I have added the following line in my ldif file,
> objectClass: krb5Principal
> krb5PrincipalName: principal@REALM
Ignore this. It have nothing to do with the problem. It is _ONLY_
used when doing simple binds (ie, '-x -D ... -W' combo). You're
doing GSSAPI.
> But still i got the same error,
> # ./ldapsearch -Y GSSAPI -U s001
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): authentication failure: GSSAPI Failure
>
> Is my configuration in slapd.conf is correct?
>
> =======
> slapd.conf
> ========
> #sasl-realm TEAM.COM
This must be uncommented (if it's correct that is :).
> sasl-host krishna.team.com
Is this what the DNS is saying about the IP that slapd is
running on!?
> password-hash {CLEARTEXT}
Have noting to do with the problem...
> access to * by * write
> access to * by * read
Remove the last one (write implies read). Since you have no
advanced ACLs, the regexp below have no meaning (or is irrelevant)
> srvtab /etc/krb5.keytab
This is ancient or have to do with Kerberos IV (four) and should
not be used if you're doing Kerberos V (five) only. Remove it.
> sasl-regexp
> uid=(.*),cn=digest-md5,cn=auth
> ldap:///dc=team,dc=com??sub?uid=$1
>
> sasl-regexp
> uid=(.*),cn=cram-md5,cn=auth
> ldap:///dc=team,dc=com??sub?uid=$1
>
> sl-regexp
> uid=(.*),cn=gssapi,cn=auth
> ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)
Here you're wrong again. It's "sasl-regexp", not "sl-regexp" :)
Or is this mail older than the one which this this was discovered?
> The Platform details,
> 1. HP-UX 11.11
> 2. Default system Kerberos and GSSAPI libraries are used.(If all the
> configuration and methods are right then i will try the same thing with MIT
> Kerberos,Please confirm is the steps for testing is correct).
Does HP-UX 11.11 come with some form of kerberos, sasl and/or ldap
libs? If yes, then maybe YOUR installation is conflicting with the
pre-existing. Check how all libs used is linked. On a Linux system,
this is done with 'ldd' (I asume that's the way to do it on HP-UX
as well).
This is on my stable live system: I can clearly see that it's
linked with the correct kerberos libs etc. Follow each link,
tripple checking..
----- s n i p -----
[papadoc.pts/5]$ ldd /usr/lib/libldap.so.2.0.15
liblber.so.2 => /usr/lib/liblber.so.2 (0x40041000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4004d000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40062000)
libdl.so.2 => /lib/libdl.so.2 (0x40072000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40075000)
libsasl.so.7 => /usr/lib/libsasl.so.7 (0x400a2000)
libkrb4.so.2 => /usr/lib/libkrb4.so.2 (0x400ae000)
libdes425.so.3 => /usr/lib/libdes425.so.3 (0x400c1000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x400c5000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x4011a000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x4012c000)
libssl.so.0.9.6 => /usr/lib/i686/libssl.so.0.9.6 (0x4012e000)
libcrypto.so.0.9.6 => /usr/lib/i686/libcrypto.so.0.9.6 (0x4015b000)
libc.so.6 => /lib/libc.so.6 (0x40213000)
libdb3.so.3 => /usr/lib/libdb3.so.3 (0x40330000)
libpam.so.0 => /lib/libpam.so.0 (0x403d8000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x403e0000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
----- s n i p -----