[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and SASL

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Re: OpenLDAP and SASL
From: Allan Streib <astreib@indiana.edu>
Date: Fri, 8 Jun 2001 19:22:45 -0500 (EST)
In-reply-to: <5.1.0.14.0.20010607211628.00b026b8@127.0.0.1>

On Thu, 7 Jun 2001, Kurt D. Zeilenga wrote:

> At 05:58 AM 6/6/2001, Jan Marek wrote:
> >
> >Is there some documentation, HOWTO, or step-by-step, how is
> >possible to set OpenLDAP to work with SASL?
>
> Have you gotten Cyrus's sample client/server to work?

I am currently working my way through the HOWTO guide at
http://www.bayour.com/LDAPv3-HOWTO.html.  This has been a helpful guide
but due to my lack of experience with OpenLDAP, SASL, and Kerberos I am
struggling.  Plus the guide is written specific to Debian, and I am
working with Red Hat.  But that part has not been too bad.

Currently I have built Cyrus SASL with GSSAPI.  I applied the
recommended patches to plugins/gssapi.c, and everything seemed to build
just fine.

In testing Cyrus SASL using the sample-client and sample-server
programs, I am having trouble.  I'll just list my questions and I hope
someone can answer them or point me to an answer.

1) The first step described is to "execute kinit" in the shell.
Execute it how?  I can run:

	kinit astreib@IU.EDU

and that works fine, but:

	kinit -k (do I need to do this?)

returns:

	kinit(v5) Cannot resolve network address for KDC in requested
	realm while getting initial credentials.

My /etc/krb5.conf seems to contain the necessary realm and domain-realm
entries, but something is clearly going astray somewhere.

Side note: in my krb5.keytab file I have an ldap service entry but not a
host entry.  I'm starting to think this is a problem, based on some
things I've been reading in the past couple of hours.

2) If I just kinit with my own principal, and then run the sample-client
and sample-server programs, I get:

   [root sample]# ./sample-server -s ldap -p /usr/lib/sasl
   Generating client mechanism list...
   Sending list of 4 mechanism(s)
   S: TE9HSU4gUExBSU4gQU5PTllNT1VTIEdTU0FQSQ==
   Waiting for client mechanism....

   --- In another shell ---

   [root sample]# ./sample-client -s ldap -n <FQDN> -u astreib -p /usr/lib/sasl
   service=ldap
   Waiting for mechanism list from server...
   S: TE9HSU4gUExBSU4gQU5PTllNT1VTIEdTU0FQSQ==
   Choosing best mechanism from: LOGIN PLAIN ANONYMOUS GSSAPI
   lt-sample-client: Starting SASL negotiation: generic failure

Above, <FQDN> is the fully qualified name of the host that I'm on.
What's not clear to me, beyond the kinit question, is what username
should I use?  Mine?  Root?  I've tried both, with the same results.
And is there debugging or logs I can check to determine more detail on
the "generic failure" error?

Thanks for any help,

Allan

Follow-Ups:
- Re: OpenLDAP and SASL
  - From: Allan Streib <astreib@indiana.edu>

References:
- Re: OpenLDAP and SASL
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Problem with connecting to ldaps
Next by Date: Does adding get faster if you use DB3 instead of gdbm
Index(es):
- Chronological
- Thread