[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.4.23 SASL/GSSAPI problem



I have set KRB5_KTNAME in slapd startup script (/etc/default/slapd):

export KRB5_KTNAME=/etc/ldap/ldap.keytab

it's to separate system keytab from LDAP's. Anyway, that is a different error.

 Matej

On 12/06/2010 02:30 PM, Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Configuration file does not specify default realm)

Do you mind showing us your slapd configuration, and also your sasl configuration?

My mistake, I was busy at work, and misunderstood. No need for SASL unless you use userPassword: {SASL}user@realm


I've generated keytab file with ldap/my.ldap.host principal and put it in /etc/ldap/ldap.keytab

Is your server configured to have the keytab in /etc/ldap/ldap.keytab? I use mine from /etc/krb5.keytab normally. See below for more



Because I don't use {SASL} password scheme, there is no special SASL configuration. Usage is like this (client):

ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
       additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Configuration file does not specify default realm)

What command do you use to generate this error? Do you have a krb5 ticket granted? You can check with klist.


I tried google the problem, but it didn't help.

http://www.openldap.org/doc/admin24/appendix-common-errors.html

That lists the error you have, but it may not be the correct fix you need.

Look at section c.2.4 and c.1.21


Hope this helps you, and gets you on the right track.

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJM/OVdAAoJEHF16AnLoz6JM9UQAJ4wdyS9Hzw0pT6dQDLzXHfu
o/JQEx+o3ZbxTpjWxhGWW2ha69ztOoDWxK5x2M0HbfWWedrZ4Ov/vKwRlYW+eQQe
vWwKyeanmt+a4Tl/+M69qWGOe9VT7bXR9FRgXcXED5czTssmkX9fdX0ShBDh+rnc
Nb3Y1lDZGtqGZFQ+klE9eVpjkejtf9wdcQIQehJ+JmDwxt6n10sFwr0iNu2tszJe
AHgft3hGoyde17qUH2r346/JhztCrseGaYAdbAW+TFXF/mz0JekW2zy52VfDSe3p
9wIAPL6P7urOige9Fb/U+GhFUmEyGcF1nlagnQrD8BN3hOTGGmGaFUxbbz0qN+ox
OTt+A07kdkwGAOqfWG1onrc1Tn/4cE9sh4X/ZuomNKRXIoQXqET0KFMEC0edocvP
MhWS6Dtl/8Xr1yv4SGS1rR9ACOK3JXWntQRV0JaxXtDTIbXhptYxc2lGSdqg0EBw
Pl3W5f22c5xbZ9IGjRNCr8Q5DfpjoFxpfgHa3w9kotJ+s/4V79Wrgd+sMyLxfj2Y
HccC9/3rGKRJVdJHSkiKhAI8FgqyKt0bmbsa3t3rOlp2NCnwjGPVBUPYxXzJpmQ3
15tMDgTSle1AjUCfVY8VOuB2+noUJRK+1HzfPgz3apdI5d8jQgKss+XUKDWXcejS
ThTZv6+MqRdUbbJEyjR2
=i86w
-----END PGP SIGNATURE-----