[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Need SASL idiot-proof walkthrough
I have done the sample-server and sample-client and successfully got to the
"Negotiation complete" part. But OpenLDAP is still giving me problems:
do_sasl_bind: dn () mech GSSAPI
SASL [conn=32] Failure: GSSAPI Error: Miscellaneous failure (see text)
(Decrypt integrity check failed)
The sasl tests work, kinit works, ??? I'm not sure what the problem could
be. I do have an entry for dn: uid=digant,cn=people,dc=uta,dc=edu and my
slapd.conf file has the following:
(I do notice that the bind dn is "" which makes me think my sasl-regexp is
fubar.)
sasl-realm "KERB.UTA.EDU"
sasl-host labrador.kerb.uta.edu
sasl-regexp uid=(.*),cn=kerb.uta.edu,cn=gssapi,cn=auth
ldap:///uid=$1,cn=people,dc=uta,dc=edu??sub
-----Original Message-----
From: Quanah Gibson-Mount
To: Digant Kasundra; 'openldap-software@openldap.org'
Sent: 3/26/2004 11:16 AM
Subject: Re: Need SASL idiot-proof walkthrough
--On Friday, March 26, 2004 10:21 AM -0600 Digant Kasundra
<digant@uta.edu>
wrote:
> Hello everyone,
>
> So far, no one has been able to decipher my SASL problem from my
postings
> of log files and conf files etc. I have even cleanly reinstalled my
> machines. There is something basic and simple and stupid that I must
be
> missing. Can someone please give me a step-by-step walkthrough based
on
> the following information so I could make doubly sure that I am doing
> things properly?
>
> I have a KDC (running MIT KRB) on labrador.kerb.uta.edu. I have an
> OpenLDAP 2.2.7 box running on omicron.kerb.uta.edu. I have a realm
> KERB.UTA.EDU. I have a user dn: uid=digant,cn=people,dc=uta,dc=edu.
>
> An idiot-proof walkthrough would really help and I *KNOW* that's
asking a
> lot out of people and I wholely apologize for that. I've done it on
my
> own and no one can see a problem with the way I did it but it still
> doesn't work. So if someone can give me a step by step on which
> principals to create, what entry to create in the LDAP and what to put
in
> the slapd.conf (and any other important steps), I promise I will buy
you
> a pizza!
Digant,
Have you compiled the test server/client that comes with Cyrus-SASL to
verify that it authenticates correctly via GSSAPI at that level?
See this link:
<http://www.ipnet6.org/src/cyrus-sasl-2/doc/gssapi.html>
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html