[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sasl-host ignored in GSSAPI authentication
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jeffrey Layton
> I've worked out my other problem with getting a good krbtgt, but now I
> have a new one. OpenLDAP is running on a host:
>
> real-host.domain.net
>
> I have a CNAME in DNS that points to this called:
>
> ldap.domain.net
>
> In slapd.conf, I have:
>
> sasl-host ldap.domain.net
>
> But when I try to run an ldapsearch, I get the following error.
>
> % ldapsearch
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (82)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (see text) (Server
> (ldap/real-host.domain.net@DOMAIN.NET) unknown)
>
> My understanding of sasl-host was that it would force the principal
> above to be 'ldap/ldap.domain.net', but that doesn't seem to
> be working
> here. Is this not working correctly, or is my understanding
> of sasl-host
> incorrect?
The sasl-host config in slapd.conf has absolutely nothing to do with the
service name that a client will request. The client generates a request based
on the server name that you provided to it. Check your ldap.conf file.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support