|
On FreeBSD 5.2.1, I am using this doc to try and
get SASL auth to work with OpenLDAP 2.1.30. Cyrus-SASL 2.1.18 is using saslauthd
setup with Heimdal Kerberos 0.6 and saslauthd is running with the '-a kerberos5'
flag. I initialized the realm in Heimdal, exported an ldap service key to
/etc/krb5.keytab and set permissions to 'rw------- ldap ldap'. Then using the
doc below, entered the sasl setup in slapd.conf:
sasl-host
esmtp.webtent.net
sasl-realm WEBTENT.NET sasl-regexp
uid=(.*),cn=webtent.net,cn=gssapi,cn=auth uid=$1,ou=People,dc=webtent,dc=net This is what is happening:
esmtp# kadmin -l
kadmin> list * robert@WEBTENT.NET Manager@WEBTENT.NET default@WEBTENT.NET imapadm@WEBTENT.NET kadmin/admin@WEBTENT.NET kadmin/hprop@WEBTENT.NET robert/admin@WEBTENT.NET kadmin/changepw@WEBTENT.NET changepw/kerberos@WEBTENT.NET krbtgt/WEBTENT.NET@WEBTENT.NET ldap/esmtp.webtent.net@WEBTENT.NET kadmin> ext_keytab
ldap/esmtp.webtent.net
kadmin> quit
esmtp# chown ldap:ldap
/etc/krb5.keytab
esmtp# kinit robert
robert@WEBTENT.NET's Password: kinit: NOTICE: ticket renewable lifetime is 1 week esmtp# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: robert@WEBTENT.NET
Issued
Expires
Principal
Apr 24 14:16:25 Apr 25 00:16:25 krbtgt/WEBTENT.NET@WEBTENT.NET esmtp# ldapsearch -x -b
"ou=People,dc=webtent,dc=net" "uid=robert" -LLL
# extended LDIF # # LDAPv3 # base <ou=People,dc=webtent,dc=net> with scope sub # filter: uid=robert # requesting: -LLL # # Robert Fitzpatrick, People, webtent.net
dn: cn=Robert Fitzpatrick,ou=People,dc=webtent,dc=net # search result
search: 2 result: 0 Success # numResponses: 2
# numEntries: 1 esmtp# ldapsearch -Y GSSAPI -b
"ou=People,dc=webtent,dc=net" "uid=robert" -LLL
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (82) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/WEBENT.NET@WEBTENT.NET) unknown) I assume there is something major that I am
missing, can someone offer what they think it may be?
--
Robert
|