[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Not able to get GSSAPI in supportedSASLMechanisms list

To: Padmavathi Dt <padmavathi.dt@tcs.com>
Subject: Re: Not able to get GSSAPI in supportedSASLMechanisms list
From: Dan White <dwhite@olp.net>
Date: Tue, 15 Apr 2008 11:12:57 -0500
Cc: openldap-software@openldap.org
In-reply-to: <OF12A8DE06.DF856890-ON6525742C.0032EA16-6525742C.00364DCB@tcs.com>
References: <OF12A8DE06.DF856890-ON6525742C.0032EA16-6525742C.00364DCB@tcs.com>
User-agent: Mozilla-Thunderbird 2.0.0.6 (X11/20071008)

Padmavathi Dt wrote:

Hii List,
I am trying to get LDAP with SASL-GSSAPI mechanism.

>

In /usr/lib/sasl2,it has

[root@as3 sasl2]# ls libgssapi*
libgssapiv2.la  libgssapiv2.so  libgssapiv2.so.2  libgssapiv2.so.2.0.19

To verify the cyrus sasl mechanism is installed correctly, see the command 'pluginviewer'. For example:

neo:~# pluginviewer -s | grep -i GSSAPI
pluginviewer: SASL Other: OTP: auxprop backend can't store properties
CRAM-MD5 PLAIN NTLM GSSAPI OTP DIGEST-MD5 ANONYMOUS LOGIN EXTERNAL
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no

I also have a working kerberos .I am able to get tickets from kerberos.I have added ldap host principal to kerberos database.
I have my slapd.conf as: (sasl related part)
sasl-host as3 sasl-realm BSNL.COM authz-regexp uid=([^,]*),cn=bsnl.com,cn=gssapi,cn=auth uid=$1,ou=people,dc=bsnl,dc=com

I don't believe any of these commands should be necessary for the GSSAPI mechanism to show up in the ldapsearch below.

(Also,I have added the first two lines after seing some mailing list.In the admin guide nothing was mentioned about adding the two lines.Please tell me whether it is correct?)

According to HOWTO doc from www.bayour.com,when we query ldap for supportedSASLMechanisms,it should show GSSAPI(my whole purpose).But when I give the following:

[root@as3 openldap]# /usr/bin/ldapsearch -H "ldaps://:12345" -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN

Does it mean that LDAP was not built with SASL support?

This could mean that openldap is not able to find a keytab containing the proper kerberos principal, or some other problem which prevents it initialing GSSAPI.


I have slapd.conf in /usr/lib/sasl2 as:
pwcheck_method: /usr/sbin/saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: plain login ntlm kerberos5

kerberos5 doesn't look right. It should be 'gssapi'. My /usr/lib/sasl2/slapd.conf happens to look like:

keytab: /etc/krb5.keytab-ldap
pwcheck_method: auxprop saslauthd
auxprop_plugin: slapd

Specifying mech_list isn't necessary.

- Dan

References:
- Not able to get GSSAPI in supportedSASLMechanisms list
  - From: Padmavathi Dt <padmavathi.dt@tcs.com>

Prev by Date: Re: insecure, convenient use of SSL
Next by Date: Re: Not able to get GSSAPI in supportedSASLMechanisms list
Index(es):
- Chronological
- Thread