RE: sasl-host ignored in GSSAPI authentication

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jeffrey Layton

> I've worked out my other problem with getting a good krbtgt, but now I
> have a new one. OpenLDAP is running on a host:
>
>     real-host.domain.net
>
> I have a CNAME in DNS that points to this called:
>
>     ldap.domain.net
>
> In slapd.conf, I have:
>
>     sasl-host ldap.domain.net
>
> But when I try to run an ldapsearch, I get the following error.
>
> % ldapsearch
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (82)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (see text) (Server
> (ldap/real-host.domain.net@DOMAIN.NET) unknown)
>
> My understanding of sasl-host was that it would force the principal
> above to be 'ldap/ldap.domain.net', but that doesn't seem to
> be working
> here. Is this not working correctly, or is my understanding
> of sasl-host
> incorrect?

The sasl-host config in slapd.conf has absolutely nothing to do with the
service name that a client will request. The client generates a request based
on the server name that you provided to it. Check your ldap.conf file.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support