[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple realms...



Héctor Sustaita Méndez wrote:
Hi everyone, I'm working with LDAP->SASL->GSSAPI->Kerberos, and I
want to implement multiple realms with this. But I don't know how to
specify more than one realm in slapd.conf.
I include the saslRegexp for each realm, but I got this:


  "GSSAPI Error: Miscellaneous failure (No principal in keytab matches
desired name)".

It depends on exactly what you want to accomplish. I had some issues with this some time ago, and mostly solved them with generous help from this list, and Cyrus SASL list. From what it looks like, you either haven't created principal for LDAP server host and placed it into keytab file, or you placed it into /etc/krb5.keytab which is not readable by slapd process. You need to place it into separate file, and instruct slapd to read it from there. Currently, AFAIK there is not command line option and/or configuratin directive to acomplish that. The only way to do it is to define KRB5_KTNAME environment variable before starting slapd:


KRB5_KTNAME=/etc/openldap/ldap.keytab
export KRB5_KTNAME

On Red Hattish systems this could be placed into /etc/sysconfing/ldap.

If the above is not in the source of your problems, I made couple of rather longer postings with possible solutions some time ago. Reading it now, there are some small not so correct conclusions inthere (I learned some new stuff after I wrote that). However it still looks very usable.

You might want to search the archives of this mailing list for thread with subject "Kerberos and simple binds using same password database?". I made a summary and posted it back to the list. Alternatively, if you can't manage to find it, mail me off the list and I'll forward my original posting to you (should be somewhere in my sent mailbox, hopefully).

There's also couple of discussions on the same topic on Cyrus SASL mailing list (subject "using saslauthd to authenticate against multiple kerberos realms") and general Cyrus mailing list cyrus-info (subject "authentication using kerberos").

Or simply search archives for everything with "kerberos" in subject ;-)

Hope this will help you solve the problem.

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7