[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Multiple realms...
Héctor Sustaita Méndez wrote:
Hi everyone, I'm working with LDAP->SASL->GSSAPI->Kerberos, and I
want to implement multiple realms with this. But I don't know how to
specify more than one realm in slapd.conf.
I include the saslRegexp for each realm, but I got this:
"GSSAPI Error: Miscellaneous failure (No principal in keytab matches
desired name)".
It depends on exactly what you want to accomplish. I had some issues
with this some time ago, and mostly solved them with generous help from
this list, and Cyrus SASL list. From what it looks like, you either
haven't created principal for LDAP server host and placed it into keytab
file, or you placed it into /etc/krb5.keytab which is not readable by
slapd process. You need to place it into separate file, and instruct
slapd to read it from there. Currently, AFAIK there is not command line
option and/or configuratin directive to acomplish that. The only way to
do it is to define KRB5_KTNAME environment variable before starting slapd:
KRB5_KTNAME=/etc/openldap/ldap.keytab
export KRB5_KTNAME
On Red Hattish systems this could be placed into /etc/sysconfing/ldap.
If the above is not in the source of your problems, I made couple of
rather longer postings with possible solutions some time ago. Reading
it now, there are some small not so correct conclusions inthere (I
learned some new stuff after I wrote that). However it still looks very
usable.
You might want to search the archives of this mailing list for thread
with subject "Kerberos and simple binds using same password database?".
I made a summary and posted it back to the list. Alternatively, if
you can't manage to find it, mail me off the list and I'll forward my
original posting to you (should be somewhere in my sent mailbox, hopefully).
There's also couple of discussions on the same topic on Cyrus SASL
mailing list (subject "using saslauthd to authenticate against multiple
kerberos realms") and general Cyrus mailing list cyrus-info (subject
"authentication using kerberos").
Or simply search archives for everything with "kerberos" in subject ;-)
Hope this will help you solve the problem.
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7