[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP with SASL: No principal in keytab matches desired name
YESSSS!!! That was it!!! It's working fine now!!
Thank you very much!! :D
# ldapsearch -h localhost -b "dc=teste,dc=com" -LLL uid=rodolfo
SASL/GSSAPI authentication started
SASL username: rodolfo@ROOT.IME.UNICAMP.BR
SASL SSF: 56
SASL installing layers
dn: uid=rodolfo,ou=People,dc=teste,dc=com
uid: rodolfo
cn: Rodolfo Broco Manin
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /tmp
gecos: Rodolfo Broco Manin
description: Usuario local de teste
sn: Manin
userPassword:: **********
[]s!
Rodolfo
> When starting slapd, try adding the environment variable to specify the
> keytab file (below). I believe srvtab was for Krb4 authentication.
>
> KRB5_KTNAME=/etc/ldap.keytab /path/to/slapd ....
>
> -Matt
>
> On Wed, 2004-12-22 at 11:08, Rodolfo Broco Manin wrote:
>> Hi, All!
>>
>> We are using OpenLDAP + Kerberos to perform user validation here, and
>> now I need to enable OpenLDAP's SASL authentication (to use with Cyrus
>> IMAP and QMail). I'm testing it with OpenLDAP (2.2.13 - Fedora Core
>> 3), but, when I try to perform a search - like:
>>
>> # ldapsearch -h my.host.name -Y GSSAPI
>>
>> (after doing a kinit), I get the message:
>>
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
>> (80)
>> additional info: SASL(-1): generic failure: GSSAPI Error:
>> Miscellaneous failure (No principal in keytab matches desired name)
>>
>> Question is: what principal is missing?? I tryed running slapd with
>> various debug flags, but is says only:
>>
>> conn=0 fd=10 ACCEPT from IP=143.106.77.85:33134 (IP=0.0.0.0:389)
>> conn=0 op=0 BIND dn="" method=163
>> SASL [conn=0] Failure: GSSAPI Error: Miscellaneous failure (No
>> principal in keytab matches desired name)
>> conn=0 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure:
>> GSSAPI Error: Miscellaneous failure (No principal in keytab matches
>> desired name) conn=0 fd=10 closed
>>
>> My /usr/lib/sasl2/slapd.conf has only one line:
>>
>> auxprop_plugin: slapd
>>
>> and I _do_ have a ldap/my.host.name at my keytab:
>>
>> # ktutil
>> ktutil: rkt /etc/openldap/slapd.keytab
>> ktutil: l
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>> 1 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>> 2 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>> 3 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>> 4 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>> ktutil:
>>
>> (the "srvtab" parameter at my slapd.conf points to the file above)
>>
>> This host is DNS-resolving itself fine in both direct and reverse
>> ways, and I'm running slapd as root (for tests). Using ldapsearch
>> with simple auth works file (with and without TLS). I have
>> saslauthd running (and it is working with testsaslauthd, and with
>> sasl-sample-server/client, using GSSAPI mech.)
>>
>> The slapd.conf I'm using looks like this:
>>
>> ----------------------------------------------------------------
>> include /etc/openldap/schema/core.schema
>> include /etc/openldap/schema/cosine.schema
>> include /etc/openldap/schema/inetorgperson.schema
>> include /etc/openldap/schema/nis.schema
>> allow bind_v2
>>
>> pidfile /var/run/slapd.pid
>> argsfile /var/run/slapd.args
>>
>> TLSCACertificateFile /usr/share/ssl/certs/cacert.pem
>> TLSCertificateFile /usr/share/ssl/certs/myhost.pem
>> TLSCertificateKeyFile /usr/share/ssl/certs/myhost.key
>>
>> sasl-host damasco.ime.unicamp.br
>> srvtab /etc/openldap/slapd.keytab
>> sasl-regexp UID=([^,]*),CN=.* UID=$1,OU=People,DC=teste,DC=com
>>
>> # FOR TEST ONLY!
>> access to * by * write
>>
>> database bdb
>> suffix "dc=teste,dc=com"
>> rootdn "cn=boss,dc=teste,dc=com"
>> rootpw teste
>>
>> directory /var/lib/ldap
>>
>> index objectClass eq,pres
>> index ou,cn,mail,surname,givenname eq,pres,sub
>> index uidNumber,gidNumber,loginShell eq,pres
>> index uid,memberUid eq,pres,sub
>> index nisMapName,nisMapEntry eq,pres,sub
>> ----------------------------------------------------------------
>>
>> Btw, after running ldapsearch, klist shows me a service principal, in
>> addition to my own one:
>>
>> # klist
>> Credentials cache: /tmp/krb5cc_0
>>
>> Default principal: me@ROOT.IME.UNICAMP.BR, 2 entries found.
>>
>> [1] Service Principal:
>> krbtgt/ROOT.IME.UNICAMP.BR@ROOT.IME.UNICAMP.BR
>> Valid starting: Dec 22, 2004 12:39
>> Expires: Dec 23, 2004 12:39
>> [2] Service Principal: ldap/my.host.name@ROOT.IME.UNICAMP.BR
>> Valid starting: Dec 22, 2004 12:39
>> Expires: Dec 23, 2004 12:39
>>
>> This thing is really getting me crazy...
>>
>> Some hint??
>>
>> Thanks in advice!!
> --
> Matthew J. Smith <matt.smith@uconn.edu>
> University of Connecticut ITS
> PGP Key: http://web.uconn.edu/dotmatt/matt.asc