[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: open ldap with SASL & GSSAPI
Maxwell Bottiger wrote:
Hello all,
I've found lots of information about problems related to mine in the
FAQ and around the net, but I don't have a solution yet. Here's my
setup:
Open Ldap 2.2
MIT Kerberos
SASL 2.1.20
MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal
is known to work well. On the client side, either one will work, but
generally I would recommend using Heimdal.
I'm using ldap to provide directory services and user info to some linux
workstations. This was working, but after upgrading a test machine to
Fedora 6 I've started having some serious problems.
[sleepylight@minitop ~]$ ldapsearch -H ldap://ns.jive-turkey.net -Y
GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
I figure this is one of three possible problems.
1 - saslauthd isn't working right
SASL-enabled servers don't talk to saslauthd to perform GSSAPI
authentication, so that is out of the equation.
2 - ldap isn't talking to sasl correctly
unlikely.
3 - I've done something wrong with my ldap quires.
possible.
Kerberos seems to work fine. I can get my credentials with kinit, and
the GSSAPI credentials are working for ssh logins. Also, I can use
testsaslauthd and get a success from the authd server.
Since you say kinit works, what tickets does klist show you having?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/