[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: mit-krb5 GSSAPI authentication



--On Tuesday, February 21, 2006 2:38 PM +0000 Alan Jones <skyphyr@gmail.com> wrote:

Hi All,

I'm having trouble with Kerberos authentication on openldap.

I'm on gentoo running openldap-2.2.28-r4, cyrus-sasl-2.1.21-r2,
mit-krb5-1.4.3 and openssl-0.9.7i.

When I run ldapsearch -H ldap://water/ -b dc=fluid I get
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

I've looked at the log and it appears that when sasl_bind is called the DN
is "".

I've removed the saslregex from my slapd.conf just to check it wasn't
replacing it with nothing.
The keytab is ldap:ldap 640 and the slapd is run as user ldap. The keytab
is listed in /etc/conf.d/slapd

Does anyone have an idea what would be causing these errors?

Thanks for any help and suggestions. 

I'll note a couple of things:

(a) MIT kerberos is magnitudes slower than Heimdal. If you are going to be using SASL/GSSAPI authorization to OpenLDAP, I suggest using Heimdal if you want any sort of decent performance from it.

(b) It looks like you need to play with the sample SASL server/client from Cyrus SASL to get SASL/GSSAPI working before you set up OpenLDAP.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html