[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open ldap with SASL & GSSAPI

To: openldap-software@openldap.org
Subject: Re: open ldap with SASL & GSSAPI
From: Maxwell Bottiger <sleepylight@jive-turkey.net>
Date: Wed, 08 Nov 2006 23:51:05 -0500
In-reply-to: <45529237.2060109@symas.com>
References: <1163016506.2686.16.camel@minitop.jive-turkey.net> <45529237.2060109@symas.com>

On Wed, 2006-11-08 at 18:28 -0800, Howard Chu wrote:

snip

> 
> MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal 
> is known to work well. On the client side, either one will work, but 
> generally I would recommend using Heimdal.
> 

I have heard that through other sources as well.  I'm really just using
MIT kerberos because it shipped with my distro.  Can I move the kerberos
database directly to Hemidal in the future?

snip

> > 
> > 
> > I figure this is one of three possible problems.
> > 1 - saslauthd isn't working right
> 
> SASL-enabled servers don't talk to saslauthd to perform GSSAPI 
> authentication, so that is out of the equation.
> 

That's very interesting.  If openldap and other sasl enabled services
don't need saslauthd, what does use it?  Just curious.  Maybe it's
something I can turn off.

> > 2 - ldap isn't talking to sasl correctly
> 
> unlikely.
> 
> > 3 - I've done something wrong with my ldap quires.
> 
> possible.
> > 
> > Kerberos seems to work fine.  I can get my credentials with kinit, and
> > the GSSAPI credentials are working for ssh logins.  Also, I can use
> > testsaslauthd and get a success from the authd server.
> 
> Since you say kinit works, what tickets does klist show you having?
> 

[sleepylight@minitop ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_502
Default principal: sleepylight@JIVE-TURKEY.NET

Valid starting     Expires            Service principal
11/08/06 23:42:04  11/09/06 23:42:04
krbtgt/JIVE-TURKEY.NET@JIVE-TURKEY.NET
11/08/06 23:42:12  11/09/06 23:42:04
ldap/ns.jive-turkey.net@JIVE-TURKEY.NET

Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached

I have some more information from playing around this afternoon.  The
first thing I found is that ldap authentication is still working for my
Fedora 5 computers.  The ldap queries for users are failing only for the
Fedora 6 machine.  Since the setups are identical except for releases, I
submitted a bug report to redhat's bugzilla.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214679

There are two logs attached to the bug report which detail this problem.
They are both kind of lengthy, so I won't list them here.

That having been said, I'm really really leaning toward me not setting
up these queries correctly.  ldapsearch is still failing regardless of
whether or not logins are working, and they are failing with the same
error messages.

Thanks for your quick response.

Follow-Ups:
- Indexs
  - From: "Pierre FERT" <pfe@calo.ath.cx>
- Re: open ldap with SASL & GSSAPI
  - From: Donn Cave <donn@u.washington.edu>
- Re: open ldap with SASL & GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: open ldap with SASL & GSSAPI
  - From: Howard Chu <hyc@symas.com>

References:
- open ldap with SASL & GSSAPI
  - From: Maxwell Bottiger <sleepylight@jive-turkey.net>
- Re: open ldap with SASL & GSSAPI
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Duplicated username in Local users and LDAP
Next by Date: Re: DN syntax question
Index(es):
- Chronological
- Thread