[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP, SASL/ GSSAPI issue -Please help



Dear All:
 
I have OpenLDAP working for plaintext authentication. Now I have installed Kerberos for LDAP authentication, Kerberos issues tickets.
But I get this error:
 
pdc:~# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
 
This is what was done:
 
I added the following line to slapd.conf
 
rootdn          "uid=ldapadmin,cn=RMSNET.COM,cn=gssapi,cn=auth"
 
and removed the old
 
#rootdn          "cn=manager,dc=rmsnet,dc=com"
#rootpw {SSHA}8hsL4HphuJn9RIzc1IGlghqRyq5uNCHy
 
parts which were working.
 
This was the only thing I did on the LDAP part.
 
On the MIT Kerberos side:
 
I have a Kerberos principle ldapadmin@RMSNET.COM, how
 
and the   following setup:
 
 kdb5_util create -r RMSNET.COM  -s (gave a password)
   
 kadmin.local -q "ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin"
 kadmin.local -q "ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/changepw"
 kadmin.local -q "addprinc krbadm@RMSNET.COM"
 kadmin.local -q "addprinc ldapadmin@RMSNET.COM"
 kadmin.local -q "addprinc -randkey ldap/pdc.rmsnet.com@RMSNET.COM"
 kadmin.local -q "ktadd  ldap/pdc.rmsnet.com"
 kadmin.local -q "ktadd root@RMSNET.COM"
  kadmin.local -q "addprinc root@RMSNET.COM"
  kadmin.local -q "ktadd root@RMSNET.COM"
 
then /usr/local/var/krb5kdc/kadm5.acl
 
kadmin/admin@RMSNET.COM     *
ldapadmin@RMSNET.COM  *
mohan@RMSNET.COM  *
root@RMSNET.COM           *
*/*@RMSNET.COM              i
 

the I start   kinit ldapadmin@RMSNET.COM
 
result:    pdc:~# kinit ldapadmin@RMSNET.COM
Password for ldapadmin@RMSNET.COM:
pdc:~#
 
Then klist
 
pdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldapadmin@RMSNET.COM
 
Valid starting     Expires            Service principal
08/19/04 10:29:49  08/19/04 20:29:49  krbtgt/RMSNET.COM@RMSNET.COM
        renew until 08/20/04 10:29:47
 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
 

and then I do  a  test:
 
pdc:~# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
 

And this is where I am stuck.....Please help......is it a Kerberos issue of do I have to do something on the LDAP side
like mapping Kerberos principle ldapadmin@RMSNET.COM to DN
 
Please help.
Thanks in advance
 
Mohan (mohan@roomsnet.com)