[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/GSSAPI problem SOLVED!!



Title: Message
For those of you who were familiar with my problem, I'd like to announce that I solved it, and I knew it would be just something small and stupid that I overlooked.
 
RECAP:
When trying to do bind with my kerberos ticket, I was getting the error "Decrypt integrity check failed" when using Heimdal and "Wrong principal in request" when using MIT Kerberos.  I had forgotten that I had wrongly added the principal ldap/(KDC-FQDN) to my keytab file b/c I noticed that a request was being made for this.  But that key should never be on the LDAP server and at the time, I chose to just overlook that problem.  Upon revisiting this, I found that it was the key to solving the problem: slapd was getting a key for ldap/(KDC-FQDN) because in the slapd.conf file, I had listed the KDC as the sasl-host instead of the LDAP server.
 
PROBLEM:
Incorrect sasl-host listed in slapd.conf
 
SOLUTION:
The sasl-host value should be the name of the server (usually the FQDN) such that a principal exists in the form "ldap/(sasl-host)@REALM".
 
-----------------------------
Digant C Kasundra

Software Systems Specialist
Office of Information Technology
University of Texas at Arlington
(817) 272-1291 - digant@uta.edu
 
To request technical support, please
contact our computing Help Desk at
817-272-2208 or helpdesk@uta.edu.