[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems connecting to OpenLDAP-2.2.17 with Kerberos (ldapclient).

To: openldap-software@OpenLDAP.org
Subject: Problems connecting to OpenLDAP-2.2.17 with Kerberos (ldapclient).
From: Lewis Thompson <lewiz@fajita.org>
Date: Wed, 3 Nov 2004 19:06:28 +0000
Content-disposition: inline
User-agent: Mutt/1.5.6i

Hi,

I've got an LDAP server running that requires SSL connections and SASL
for binding.  My kerberos server is: kerberos.domain.com, slapd:
ldap.domain.com.  Both of these are CNAMEs pointing to server.domain.com

  I previously had this setup working, but somewhere along the way I've
broken it.  Anonymous binding works (for nss_ldap, etc.) but when I grab
myself a Kerberos ticket:

Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: lewiz@DOMAIN.COM

  Issued           Expires          Principal                               
Nov  3 18:59:32  Nov  4 04:59:32
krbtgt/DOMAIN.COM@DOMAIN.COM

and try ldapsearch -Z I receive the following:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Server (krbtgt/168.0.1@DOMAIN.COM) unknown)

My /etc/krb5.keytab file has host/server.domain.com,
host/ldap.domain.com, ldap/server.domain.com and ldap/ldap.domain.com
extracted to it.  It is world readable (for testing only).  afaik, I
should only require host/server.domain.com and ldap/ldap.domain.com, but
I added the others just in case.

  server.domain.com's IP address is 192.168.0.1.  I'm really stuck as to
what's going wrong here.  There is nothing untoward in the slapd log
file either:

Nov  3 19:02:16 server slapd[32770]: conn=14 fd=9 ACCEPT from IP=192.168.0.1:61243 (IP=192.168.0.1:389)
Nov  3 19:02:16 server slapd[32770]: conn=14 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Nov  3 19:02:16 server slapd[32770]: conn=14 op=1 SRCH attr=supportedSASLMechanisms
Nov  3 19:02:16 server slapd[32770]: conn=14 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov  3 19:02:16 server slapd[32770]: conn=14 fd=9 closed 

ldap.conf:
----------
BASE    dc=domain,dc=com
URI     ldap://ldap.domain.com
TLS_CACERT      /usr/local/etc/openldap/ca.crt

slapd.conf (cropped where appropriate):
---------------------------------------
security ssf=1 update_ssf=112 simple_bind=64
TLSCipherSuite HIGH:MEDIA:+SSLv2:RSA
TLSCertificateFile /usr/local/etc/openldap/ldap.domain.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ldap.domain.com.key

  The server has no ACLs in force.

  Can anybody suggest what is going wrong?  This has previous been
working but I've obviously messed something up.  Any suggestions would
be very welcome!

-lewiz.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
------------------------------------------------------------------------
-| msn:lewiz@fajita.org | jabber:lewiz@jabber.org | url:www.lewiz.org |-

Attachment: pgpUY8dtaF3ty.pgp
Description: PGP signature

Follow-Ups:
- Re: Problems connecting to OpenLDAP-2.2.17 with Kerberos (ldapclient).
  - From: Andreas <andreas@conectiva.com.br>
- Re: Problems connecting to OpenLDAP-2.2.17 with Kerberos (ldapclient).
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Problems connecting to OpenLDAP-2.2.17 with Kerberos (ldapclient).
  - From: Lewis Thompson <lewiz@fajita.org>

Prev by Date: Re: ssl ldap certs...
Next by Date: Re: Problems connecting to OpenLDAP-2.2.17 with Kerberos (ldapclient).
Index(es):
- Chronological
- Thread