[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP, SASL2, and KERBEROS5

To: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
Subject: Re: LDAP, SASL2, and KERBEROS5
From: O Plameras <oscarp@acay.com.au>
Date: Sat, 21 Aug 2004 19:32:05 +1000
Cc: openldap-software@OpenLDAP.org
In-reply-to: <4126FF06.3050002@opentechnet.com>
References: <41269A30.5000408@acay.com.au> <4126FF06.3050002@opentechnet.com>
User-agent: Mozilla Thunderbird 0.7.3 (X11/20040803)


Initially, I have my keytab in /etc/openldap/ldap.keytab.
Then, I deleted it and have it in /etc/krb5.keytab.

I still get the same problem.


Jose Gonzalez Gomez wrote:

Do you have a /etc/krb5.keytab file? This is the default location, you may have overriden it in your configuration files.
   Best regards
   Jose
O Plameras wrote:
Hi,
Got this error,
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No such file or directory)

with commands: [root@otr ssh] ldapsearch -H ldap:/// -b "dc=example,dc=com" ( w/ SASL, NO SSL) [root@otr ssh] ldapsearch -H ldaps:/// -b "dc=example,dc=com" (w/ SASL, w/ SSL) [root@otr ssh] ldapsearch -H ldap:/// -ZZ -b "dc=example,dc=com" (w/SASL,w/SSL)

I get correct (no error like above) results with: [root@otr ssh] ldapsearch -H ldap:/// -b "dc=example,dc=com" -x (no SASL, no SSL) [root@otr ssh] ldapsearch -H ldaps:/// -b "dc=example,dc=com" -x (no SASL,w/SSL) [root@otr ssh] ldapsearch -H ldap:/// -ZZ -b "dc=example,dc=com" -x (no SASL,w/SSL)
I tested GSSAPI/Kerberos5 with SASL as follows:
Server side:
[root@otr ssh]sasl2-sample-server -s host
trying 10, 1, 6
....
....
accepted new connection
send: {48}
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
... lots of  characters
...
successful authentication 'oscar'
closing connection
On client side: [oscarp@otr oscarp]$ kinit oscar Password for oscar@NOY.COM.AU: [oscarp@otr oscarp]$ sasl2-sample-client -s host -m GSSAPI otr.noy.com.au receiving capability list... recv: {48} PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS please enter an authorization id: oscar
.... lots of characters
successful authentication
closing connection
So, SASL/GSSAPI/Kerberos works with test but
does not work with 'ldapsearch' (Openldap)
I have this on my Linux :
[oscarp@otr oscarp]$ rpm -qa | grep sasl
cyrus-sasl-devel-2.1.19-1
cyrus-sasl-gssapi-2.1.19-1
cyrus-sasl-md5-2.1.19-1
cyrus-sasl-2.1.19-1
cyrus-sasl-plain-2.1.19-1
[oscarp@otr oscarp]$ rpm -qa | grep openldap
openldap-devel-2.1.22-8
openldap-clients-2.1.22-8
openldap-servers-2.1.22-8
openldap-2.1.22-8
[oscarp@otr oscarp]$ rpm -qa | grep krb5
krb5-devel-1.3.4-1
krb5-server-1.3.4-1
krb5-workstation-1.3.4-1
pam_krb5-2.0.4-1
krb5-libs-1.3.4-1
$[oscarp@otr oscarp]$ rpm -qa | grep openssl
openssl-0.9.7a-23
openssl-devel-0.9.7a-23
[oscarp@otr oscarp]$
[oscarp@otr oscarp]$ ldapsearch -H ldap:/// -b "" supportedSASLMechanims -x # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=*) # requesting: supportedSASLMechanims #
# search result
search: 2
result: 32 No such object
# numResponses: 1
[oscarp@otr oscarp]$
Can someone point me into where I'll
check to fix this problem ? Thanks.
O Plameras

Follow-Ups:
- Re: LDAP, SASL2, and KERBEROS5
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>

References:
- LDAP, SASL2, and KERBEROS5
  - From: O Plameras <oscarp@acay.com.au>
- Re: LDAP, SASL2, and KERBEROS5
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>

Prev by Date: Re: LDAP, SASL2, and KERBEROS5
Next by Date: Re: Also, Re: What is err=52?
Index(es):
- Chronological
- Thread