Re: Kerberized LDAP not accessible

[Dan White <dwhite@olp.net>]

On 21/01/11 11:45 +0100, Thomas Schweikle wrote:
> Hi!
>
> I kerberized ldap:
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcAuthzRegexp: uid=(.*),cn=example.com,cn=gssapi,cn=auth
> uid=$1,ou=Users,dc=example,dc=com
> olcSaslHost: srv.example.com
> olcSaslRealm: EXAMPLE.COM
>
> In /etc/ldap/ldap.conf:
> BASE            dc=example,dc=com
> URI             ldap://srv.example.com
> SASL_MECH       GSSAPI
>
> In /etc/ldap.conf
> base dc=example,dc=com
> uri ldap://srv.example.com
> ldap_version 3
> rootbinddn cn=adm,dc=example,dc=com
> pam_password md5
>
> I now try to connect to my ldap server:
>
> client:~$ kinit user
> Password for user@EXAMPLE.COM:
> client:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: user@EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 01/21/11 11:32:03  01/21/11 21:32:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
>        renew until 01/22/11 11:31:58
>
> client:~$ ldapsearch -H ldap://srv.example.com
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>        additional info: SASL(-13): user not found: no secret in
> database

See the FAQ entry on OpenLDAP+SASL+GSSAPI at:

http://www.cyrusimap.org/mediawiki/index.php/FAQ

--
Dan White