(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied;
This message means that slapd is not running as root and, thus, it cannot get its Kerberos 5 key from the keytab, usually file /etc/krb5.keytab.

A keytab file is used to store keys that are to be used by services or daemons that are started at boot time. It is very important that these secrets are kept beyond reach of intruders.

That's why the default keytab file is owned by root and protected from being read by others. Do not mess with these permissions, build a different keytab file for slapd instead.

To do this, start kadmin, and enter the following commands:

  • addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
  • ktadd -k /etc/openldap/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
Then, on the shell, do:
  • chown ldap.ldap /etc/openldap/ldap.keytab
  • chmod 600 /etc/openldap/ldap.keytab
Now you have to tell slapd (well, actually tell the gssapi library in Kerberos 5 that is invoked by Cyrus SASL) where to find the new keytab. You do this by setting the environment variable KRB5_KTNAME like this:
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
Set that environment variable on the slapd start script (RedHat users might find /etc/sysconfig/ldap a perfect place).
jsanchez@openldap.org, hyc@openldap.org
This only works if you are using MIT kerberos. It doesn't work with Heimdal, for instance.
In Heimdal there is a function gsskrb5_register_acceptor_identity() that sets the path of the keytab file you want to use. In Cyrus SASL 2 you can add
    keytab: /path/to/file
to your application's SASL config file to use this feature. This only works with Heimdal.
KRB5_KTNAME should be placed in /etc/sysconfig/slapd without the export keyword on Fedora and Red Hat Enterprise Linux systems since systemd init system is used. (This means Fedora 16 and RHEL 7.)
[Append to This Answer]
Previous: (Answer) daemon: socket() failed errno=97 (Address family not supported)
Next: (Answer) access from unknown denied
This document is: http://www.openldap.org/faq/index.cgi?file=630
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org