Re: open ldap with SASL & GSSAPI

[Howard Chu <hyc@symas.com>]

Maxwell Bottiger wrote:
> Hello all,
>
> 	I've found lots of information about problems related to mine in the
> FAQ and around the net, but I don't have a solution yet.  Here's my
> setup:
>
> Open Ldap 2.2
> MIT Kerberos
> SASL 2.1.20

MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal 
is known to work well. On the client side, either one will work, but 
generally I would recommend using Heimdal.

> I'm using ldap to provide directory services and user info to some linux
> workstations.  This was working, but after upgrading a test machine to
> Fedora 6 I've started having some serious problems.
>
> [sleepylight@minitop ~]$  ldapsearch -H ldap://ns.jive-turkey.net -Y
> GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
>
> I figure this is one of three possible problems.
> 1 - saslauthd isn't working right

SASL-enabled servers don't talk to saslauthd to perform GSSAPI 
authentication, so that is out of the equation.

> 2 - ldap isn't talking to sasl correctly

unlikely.

> 3 - I've done something wrong with my ldap quires.

possible.
> Kerberos seems to work fine.  I can get my credentials with kinit, and
> the GSSAPI credentials are working for ssh logins.  Also, I can use
> testsaslauthd and get a success from the authd server.

Since you say kinit works, what tickets does klist show you having?

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/