[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: stumped: setting up SASL+GSSAPI

To: <kyle.downey@amberarcher.com>
Subject: Re: stumped: setting up SASL+GSSAPI
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 30 Sep 2000 08:15:58 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <PKENJPBGAJMALNJHJOICCEEBCCAA.kyle.downey@amberarcher.com>

Do you have the Cyrus SASL sample client and server working?
See the Cyrus SASL doc/gssapi.html for assistance.

At 08:51 AM 9/30/00 -0400, Kyle Downey wrote:
>Okay, I've been banging my head against Kerberos and OpenLDAP for the last
>week, and I declare utter defeat. Learned more about Kerberos than I wanted
>to know along the way, and successfully Kerberized my Linux box (telnet etc.
>now use GSSAPI to authenticate). I'm working on a (LONG!) HOWTO that I plan
>to contribute when done, but though I'm almost there, I still can't get it
>to authenticate. For example, if I enter:
>
>kinit [ enter username and password; log into Kerberos ]
>ldapsearch -I
>
>it prompts me for my username, then says
>
>ldap_sasl_interactive_bind_s: Can't contact LDAP server
>
>which is not true, because "ldapsearch -x" (plain authentication) works just
>fine--the LDAP server is up and functioning. Furthermore, if I do a klist, I
>can see GSSAPI added the credentials for "ldap@horatio.amberarcher.com" to
>my local ticket cache, so Kerberos successfully logged me in.
>
>Here's my config:
>
>* vanilla Red Hat Linux 6.1
>* Kerberos 5-1.1 configured with --enable-shared --without-krb4
>* Cyrus  SASL 1.5.24 configured with --disble-krb4 --enable-gssapi
>    --disable-cram --disable-digest
>* OpenLDAP 2.0.4 configured
>with --with-cyrus-sasl --with-tls --enable-spasswd
>    --enable-aci
>
>I've started krb5kdc and slapd, and the KDC has a principal and keytab entry
>for "host/horatio.amberarcher.com" and "ldap/horatio.amberarcher.com" (else
>it would not have gotten so far as to authenticate). I think I'm very close
>to getting this to work, so I appreciate any help you can give me!
>
>FYI, I tried recompiling Cyrus SASL with its own debug flag set in config.h
>to produce more debugging information, but since it does succeed (debug
>prints "GSS_S_COMPLETE" right before it bombs out), I'm not sure the
>problem's there. I turned on debugging with -d 5 on ldapsearch, and didn't
>find out anything useful. I tried going through the code and (because my C's
>rusty) could not even find the exact spot where it's printing that message!
>
>Thanks in advance.
>
>regards,
>kd
>
>
>
>_____NetZero Free Internet Access and Email______
>   http://www.netzero.net/download/index.html

Follow-Ups:
- RE: stumped: setting up SASL+GSSAPI
  - From: "Kyle Downey" <kyle.downey@amberarcher.com>

References:
- stumped: setting up SASL+GSSAPI
  - From: "Kyle Downey" <kyle.downey@amberarcher.com>

Prev by Date: RE: RDF and LDAP
Next by Date: RE: stumped: setting up SASL+GSSAPI
Index(es):
- Chronological
- Thread