[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL GSSAPI authentication error -please help



Dear All:

I have OpenLDAP, and Kerberos working

I added the following line to slapd.conf

rootdn          "uid=ldapadmin,cn=RMSNET.COM,cn=gssapi,cn=auth"

and removed the old

#rootdn          "cn=manager,dc=rmsnet,dc=com"
#rootpw {SSHA}8hsL4HphuJn9RIzc1IGlghqRyq5uNCHy

parts which were working.

This was the only thing I did on the LDAP part.

On the MIT Kerberos side:

I have a Kerberos principle ldapadmin@RMSNET.COM, how

and the   following setup:

 kdb5_util create -r RMSNET.COM  -s (gave a password)

 kadmin.local -q "ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin"
 kadmin.local -q "ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
kadmin/changepw"
 kadmin.local -q "addprinc krbadm@RMSNET.COM"
 kadmin.local -q "addprinc ldapadmin@RMSNET.COM"
 kadmin.local -q "addprinc -randkey ldap/pdc.rmsnet.com@RMSNET.COM"
 kadmin.local -q "ktadd  ldap/pdc.rmsnet.com"
 kadmin.local -q "ktadd root@RMSNET.COM"
  kadmin.local -q "addprinc root@RMSNET.COM"
  kadmin.local -q "ktadd root@RMSNET.COM"

then /usr/local/var/krb5kdc/kadm5.acl

kadmin/admin@RMSNET.COM     *
ldapadmin@RMSNET.COM  *
mohan@RMSNET.COM  *
root@RMSNET.COM           *
*/*@RMSNET.COM              i


the I start   kinit ldapadmin@RMSNET.COM

result:    pdc:~# kinit ldapadmin@RMSNET.COM
Password for ldapadmin@RMSNET.COM:
pdc:~#

Then klist

pdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldapadmin@RMSNET.COM

Valid starting     Expires            Service principal
08/19/04 10:29:49  08/19/04 20:29:49  krbtgt/RMSNET.COM@RMSNET.COM
        renew until 08/20/04 10:29:47


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


and then I do  a  test:

pdc:~# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context


And this is where I am stuck.....Please help......is it a Kerberos issue of
do I have to do something on the LDAP side
like mapping Kerberos principle ldapadmin@RMSNET.COM to DN

Thanks in advance

Mohan (mohan@roomsnet.com)