[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL woes

To: "Robert Fitzpatrick" <robert@webtent.com>
Subject: Re: SASL woes
From: Donn Cave <donn@u.washington.edu>
Date: Mon, 26 Apr 2004 11:52:25 -0700
Cc: "OpenLDAP" <openldap-software@OpenLDAP.org>
In-reply-to: <005301c42a27$644ac790$018ffea9@webtent.org>

On Saturday, April 24, 2004, at 11:10 AM, Robert Fitzpatrick wrote:

On FreeBSD 5.2.1, I am using this doc to try and get SASL auth to work with OpenLDAP 2.1.30. Cyrus-SASL 2.1.18 is using saslauthd setup with Heimdal Kerberos 0.6 and saslauthd is running with the '-a kerberos5' flag. I initialized the realm in Heimdal, exported an ldap service key to /etc/krb5.keytab and set permissions to 'rw------- ldap ldap'. Then using the doc below, entered the sasl setup in slapd.conf: sasl-host esmtp.webtent.net sasl-realm WEBTENT.NET sasl-regexp uid=(.*),cn=webtent.net,cn=gssapi,cn=auth uid=$1,ou=People,dc=webtent,dc=net This is what is happening:

I don't really know what's wrong there, but a couple ideas for diagnosis: - Comment out the sasl-host and sasl-realm directives, see if that changes anything. It shouldn't. If it does, did sasl-realm actually say "WEBENT.NET", not "WEBTENT.NET"? - Does the error actually say "krbtgt/WEBENT.NET@WEBTENT.NET"? If so, and there isn't really a WEBENT, track that down. If there really is a WEBENT, you're trying to do cross-realm authentication. May be workable, but won't just work automatically. - Look at the Kerberos KDC syslog, to see what Kerberos requests precede this error. (If any - if none, you may be sending the requests to some other KDC.) - ldapsearch/sasl looks in krb5.conf for the realm, or this information may be retrievable directly from DNS TXT and SRV records. (host -t txt _kerberos.my.domain -> realm; host -t srv _kerberos._udp.my.realm -> KDC.) I guess this is working OK, since it seems to work for kinit.

	Donn Cave, donn@u.washington.edu

esmtp# kadmin -l kadmin> list * robert@WEBTENT.NET Manager@WEBTENT.NET default@WEBTENT.NET imapadm@WEBTENT.NET kadmin/admin@WEBTENT.NET kadmin/hprop@WEBTENT.NET robert/admin@WEBTENT.NET kadmin/changepw@WEBTENT.NET changepw/kerberos@WEBTENT.NET krbtgt/WEBTENT.NET@WEBTENT.NET ldap/esmtp.webtent.net@WEBTENT.NET kadmin> ext_keytab ldap/esmtp.webtent.net kadmin> quit esmtp# chown ldap:ldap /etc/krb5.keytab esmtp# kinit robert robert@WEBTENT.NET's Password: kinit: NOTICE: ticket renewable lifetime is 1 week esmtp# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: robert@WEBTENT.NET Issued Expires Principal Apr 24 14:16:25 Apr 25 00:16:25 krbtgt/WEBTENT.NET@WEBTENT.NET esmtp# ldapsearch -x -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL # extended LDIF # # LDAPv3 # base <ou=People,dc=webtent,dc=net> with scope sub # filter: uid=robert # requesting: -LLL # # Robert Fitzpatrick, People, webtent.net dn: cn=Robert Fitzpatrick,ou=People,dc=webtent,dc=net # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 esmtp# ldapsearch -Y GSSAPI -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (82) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/WEBENT.NET@WEBTENT.NET) unknown) I assume there is something major that I am missing, can someone offer what they think it may be?

References:
- SASL woes
  - From: "Robert Fitzpatrick" <robert@webtent.com>

Prev by Date: Re: syncrepl doesn't copy entries
Next by Date: Re: proxycache not caching?
Index(es):
- Chronological
- Thread