[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/GSSAPI with multiple Kerberos realms?



Finally got around to trying this -- my /etc/krb5.keytab file has service
principals for both realms.  The realms are IU.EDU and dce1.indiana.edu.  
SASL GSSAPI binds with my IU.EDU principal are working, but when I try to 
bind with my dce1.indiana.edu principal I am getting a message:

  ldap_sasl_interactive_bind_s: Local error

Looking at a tcpdump of what's happening, I see that I'm requesting a TGT
by the wrong name.  The request asks for krbtgt/IU.EDU@dce1.indiana.edu,
and the error says that principal doesn't exist.  The correct TGT name
would be krbtgt/dce1.indiana.edu@dce1.indiana.edu.

Ideas?

Allan

On Fri, 21 Feb 2003, Howard Chu wrote:

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Allan Streib
> 
> > OK next suggestion from the Kerberos admin is to have an ldap service
> > principal in both realms, and have both keys in the keytab
> > file on the ldap server.
> 
> This is an absolute requirement. The server and client must both have
> credentials in a common realm. If you can't use cross-realm authentication to
> put them both in the same realm, then the server must exist in both realms.
> >
> > BUT I think that sasl-realm in slapd.conf allows only one value; is
> > this the case?
> 
> Irrelevant. Kerberos does its own realm name management, sasl-realm only
> affects DIGEST-MD5 and other mechs that don't support distributed
> authentication.
> 
> > If I ran another slapd with a slapd.conf specifying the other realm,
> > could it look at the same db (the access to the other realm does not
> > need to allow updates) without getting confused?  This is openldap
> > 2.0.27.
> 
> No.
> 
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> 
> 

-- 
Allan M. Streib                            | "If you understand what
Global Directory Services - UIS/UITS       |  you're doing, you're
Indiana University Bloomington             |  not learning anything."
http://php.indiana.edu/~astreib/my.pgp.key |            -- Anonymous