[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL woes
On Saturday, April 24, 2004, at 11:10 AM, Robert Fitzpatrick wrote:
On FreeBSD 5.2.1, I am using this doc to try and get SASL auth to work
with OpenLDAP 2.1.30. Cyrus-SASL 2.1.18 is using saslauthd setup with
Heimdal Kerberos 0.6 and saslauthd is running with the '-a kerberos5'
flag. I initialized the realm in Heimdal, exported an ldap service key
to /etc/krb5.keytab and set permissions to 'rw------- ldap ldap'. Then
using the doc below, entered the sasl setup in slapd.conf:
sasl-host esmtp.webtent.net
sasl-realm WEBTENT.NET
sasl-regexp
uid=(.*),cn=webtent.net,cn=gssapi,cn=auth
uid=$1,ou=People,dc=webtent,dc=net
This is what is happening:
I don't really know what's wrong there, but a couple ideas for
diagnosis:
- Comment out the sasl-host and sasl-realm directives, see if that
changes anything. It shouldn't. If it does, did sasl-realm actually
say "WEBENT.NET", not "WEBTENT.NET"?
- Does the error actually say "krbtgt/WEBENT.NET@WEBTENT.NET"?
If so, and there isn't really a WEBENT, track that down. If there
really is a WEBENT, you're trying to do cross-realm authentication.
May be workable, but won't just work automatically.
- Look at the Kerberos KDC syslog, to see what Kerberos requests
precede
this error. (If any - if none, you may be sending the requests to
some
other KDC.)
- ldapsearch/sasl looks in krb5.conf for the realm, or this information
may be retrievable directly from DNS TXT and SRV records.
(host -t txt _kerberos.my.domain -> realm;
host -t srv _kerberos._udp.my.realm -> KDC.)
I guess this is working OK, since it seems to work for kinit.
Donn Cave, donn@u.washington.edu
esmtp# kadmin -l
kadmin> list *
robert@WEBTENT.NET
Manager@WEBTENT.NET
default@WEBTENT.NET
imapadm@WEBTENT.NET
kadmin/admin@WEBTENT.NET
kadmin/hprop@WEBTENT.NET
robert/admin@WEBTENT.NET
kadmin/changepw@WEBTENT.NET
changepw/kerberos@WEBTENT.NET
krbtgt/WEBTENT.NET@WEBTENT.NET
ldap/esmtp.webtent.net@WEBTENT.NET
kadmin> ext_keytab ldap/esmtp.webtent.net
kadmin> quit
esmtp# chown ldap:ldap /etc/krb5.keytab
esmtp# kinit robert
robert@WEBTENT.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
esmtp# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: robert@WEBTENT.NET
Issued Expires Principal
Apr 24 14:16:25 Apr 25 00:16:25 krbtgt/WEBTENT.NET@WEBTENT.NET
esmtp# ldapsearch -x -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=webtent,dc=net> with scope sub
# filter: uid=robert
# requesting: -LLL
#
# Robert Fitzpatrick, People, webtent.net
dn: cn=Robert Fitzpatrick,ou=People,dc=webtent,dc=net
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
esmtp# ldapsearch -Y GSSAPI -b "ou=People,dc=webtent,dc=net"
"uid=robert" -LLL
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Server
(krbtgt/WEBENT.NET@WEBTENT.NET) unknown)
I assume there is something major that I am missing, can someone offer
what they think it may be?
- References:
- SASL woes
- From: "Robert Fitzpatrick" <robert@webtent.com>