[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with SASL generic GSSAPI error

To: Dan White <dwhite@olp.net>
Subject: Re: Help with SASL generic GSSAPI error
From: Brendan Kearney <bpk678@gmail.com>
Date: Tue, 13 May 2014 09:39:35 -0400
Cc: Dieter Klünter <dieter@dkluenter.de>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=eog5PXZuuyM2IKEIHX7SxJ4fdT0loV9+P/tBl3Uhgt8=; b=Wt/yPWtDmW5tvoW/xku9IlT6tBg0DikHzhBOGtrir2TLKfr29ZO5zZPK/wcCZ8ULh7 lVmdcCeEB0lwp4JMRJMJJm5rFlFs0gyNObD6GZeAG4HFbqrz9eHCTeTggNh1ZsbReKRC MdWLMOHewxkyBLbAgN/HcrbywODnnHRRzW0lMa5xkSId5bmsea4/sZFeVledJSLjXSpc rXaAaAgWjnOguK7ClQ+X0LydjYFKTgB4tniafkvxZy43xdYzYzDDQUAP3AuOHndEhT6h F8clLAVsfRt+M7w0pab/sCOsS9G5xmk7FOObrhUsEY260NnqjPHg0TFrvTDarnBqUW+o f/vw==
In-reply-to: <20140513131252.GA6137@dan.olp.net>
References: <537188DE.8000205@gmail.com> <20140513082611.711142ec@pink.avci.de> <1399980727.14365.8.camel@desktop.bpk2.com> <20140513131252.GA6137@dan.olp.net>

On Tue, 2014-05-13 at 08:12 -0500, Dan White wrote:
> On 05/13/14 07:32 -0400, Brendan Kearney wrote:
> >On Tue, 2014-05-13 at 08:26 +0200, Dieter KlÃnter wrote:
> >> Am Mon, 12 May 2014 20:52:14 -0600
> >> schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:
> >>
> >> > root@mytest:~# ldapsearch -Y GSSAPI
> >> > SASL/GSSAPI authentication started
> >> > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> >> > error (80)
> >> >      additional info: SASL(-1): generic failure: GSSAPI Error:
> >> > Unspecified GSS failure.  Minor code may provide more information ()
> 
> Check your syslog - auth facility, and check your kdc logs.
> 
> >a couple of things that may need attention.  you need to map the
> >kerberos-established identities to ldap user objects.  adjust the below
> >to match your environment (these need to be in cn=config):
> >
> >olcSaslRealm: BPK2.COM
> 
> This may be necessary.
> 
> >olcAuthzRegexp: {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
> >$1,ou=Users,dc=bpk2,dc=com
> >olcAuthzRegexp: {1}uid=([^,]*),cn=gssapi,cn=auth uid=
> >$1,ou=Users,dc=bpk2,dc=com
> 
> This is not necessary, for GSSAPI authentication. That is, the error
> message above is a SASL error message. olcAuthzRegexp would be needed to
> map the user after authentication has been completed.

good point, why map an identity if it has not been authenticated yet.

> >you might also need to tell sasl to use the kerberos auth mechanism, and
> >where to find the ldap servers.  again, adjust to your environment
> >(saslauthd.conf):
> >
> >ldap_servers: ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com
> >ldap_use_sasl: yes
> >ldap_mech: kerberos5
> >ldap_auth_method: fastbind
> >keytab: /etc/ldap.keytab
> 
> This is also not necessary, as GSSAPI authentication does not depend on or
> use saslauthd. It would be needed if performing pass-through or PLAIN/LOGIN
> authentication.
> 

interesting.  when i found the articles that i worked off of for my
environment, those distinctions were not made.  only recently did i
discover that the pass-through auth works.  i have set olcSaslSecProps
to noanonymous,noplain so it seems to only works in limited cases.

References:
- Help with SASL generic GSSAPI error
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: Help with SASL generic GSSAPI error
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Help with SASL generic GSSAPI error
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: Help with SASL generic GSSAPI error
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Help with SASL generic GSSAPI error
Next by Date: Re: Help with SASL generic GSSAPI error
Index(es):
- Chronological
- Thread