[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL woes



On Saturday, April 24, 2004, at 11:10 AM, Robert Fitzpatrick wrote:
On FreeBSD 5.2.1, I am using this doc to try and get SASL auth to work with OpenLDAP 2.1.30. Cyrus-SASL 2.1.18 is using saslauthd setup with Heimdal Kerberos 0.6 and saslauthd is running with the '-a kerberos5' flag. I initialized the realm in Heimdal, exported an ldap service key to /etc/krb5.keytab and set permissions to 'rw------- ldap ldap'. Then using the doc below, entered the sasl setup in slapd.conf:
 
sasl-host       esmtp.webtent.net
sasl-realm      WEBTENT.NET
sasl-regexp
        uid=(.*),cn=webtent.net,cn=gssapi,cn=auth
        uid=$1,ou=People,dc=webtent,dc=net
This is what is happening:

I don't really know what's wrong there, but a couple ideas for diagnosis:
- Comment out the sasl-host and sasl-realm directives, see if that
changes anything. It shouldn't. If it does, did sasl-realm actually
say "WEBENT.NET", not "WEBTENT.NET"?
- Does the error actually say "krbtgt/WEBENT.NET@WEBTENT.NET"?
If so, and there isn't really a WEBENT, track that down. If there
really is a WEBENT, you're trying to do cross-realm authentication.
May be workable, but won't just work automatically.
- Look at the Kerberos KDC syslog, to see what Kerberos requests precede
this error. (If any - if none, you may be sending the requests to some
other KDC.)
- ldapsearch/sasl looks in krb5.conf for the realm, or this information
may be retrievable directly from DNS TXT and SRV records.
(host -t txt _kerberos.my.domain -> realm;
host -t srv _kerberos._udp.my.realm -> KDC.)
I guess this is working OK, since it seems to work for kinit.


	Donn Cave, donn@u.washington.edu

esmtp# kadmin -l
kadmin> list *
  robert@WEBTENT.NET
  Manager@WEBTENT.NET
  default@WEBTENT.NET
  imapadm@WEBTENT.NET
  kadmin/admin@WEBTENT.NET
  kadmin/hprop@WEBTENT.NET
  robert/admin@WEBTENT.NET
  kadmin/changepw@WEBTENT.NET
  changepw/kerberos@WEBTENT.NET
  krbtgt/WEBTENT.NET@WEBTENT.NET
  ldap/esmtp.webtent.net@WEBTENT.NET
kadmin> ext_keytab ldap/esmtp.webtent.net
kadmin> quit
esmtp# chown ldap:ldap /etc/krb5.keytab
esmtp# kinit robert
robert@WEBTENT.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
esmtp# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: robert@WEBTENT.NET
 
  Issued           Expires          Principal                  
Apr 24 14:16:25  Apr 25 00:16:25  krbtgt/WEBTENT.NET@WEBTENT.NET
esmtp# ldapsearch -x -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=webtent,dc=net> with scope sub
# filter: uid=robert
# requesting: -LLL
#
 
# Robert Fitzpatrick, People, webtent.net
dn: cn=Robert Fitzpatrick,ou=People,dc=webtent,dc=net
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1
esmtp# ldapsearch -Y GSSAPI -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Server (krbtgt/WEBENT.NET@WEBTENT.NET) unknown)
I assume there is something major that I am missing, can someone offer what they think it may be?