[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/GSSAPI problem.



Hi,

  I'm fairly new to the world of LDAP/OpenLDAP (as well as Kerberos and
SASL ;) so excuse me if I make a mistake.

  I've setup Kerberos (which works, as far as I can tell -- I can get a
ticket, etc.) and can fully run the cyrus-sasl2
sample-server/sample-client suite, which is proof it works, I guess.

  When I come to getting OpenLDAP21 to use Kerberos to authenticate, I
run into trouble.  My directory (for testing) is simple:

dn: dc=lewiz,dc=org
dc: lewiz
objectClass: top
objectClass: domain

dn: ou=People,dc=lewiz,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

dn: uid=lewiz,ou=People,dc=lewiz,dc=org
uid: lewiz
cn: Lewis Thompson
objectClass: account
objectClass: top
objectClass: krb5Principal
krb5PrincipalName: lewiz@LEWIZ.ORG

  and I also have the following in my slapd.conf:

sasl-realm      LEWIZ.ORG
sasl-host       ldap.lewiz.org

sasl-regexp
	uid=(.*),cn=lewiz.org,cn=gssapi,cn=auth
	uid=$1,ou=People,dc=lewiz,dc=org

  As I said, I'm new to this, but I believe the sasl-regexp matches up
the provided details to the actual entry (from the Administration Guide
(http://www.openldap.org/devel/admin/sasl.html)).

  Anyhow, I can successfully get a ticket with ``kinit lewiz'', but when
I try and do a simple:  ldapsearch -I I receive the following:

SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

  In my log file I get the following (loglevel 2):

Jul 27 01:50:42 orange slapd[61641]: connection_get(12) 
Jul 27 01:50:43 orange last message repeated 2 times
Jul 27 01:50:43 orange slapd[61641]: SRCH "" 0 0
Jul 27 01:50:43 orange slapd[61641]:     0 0 0 
Jul 27 01:50:43 orange slapd[61641]:     filter: (objectClass=*) 
Jul 27 01:50:43 orange slapd[61641]:     attrs:
Jul 27 01:50:43 orange slapd[61641]:  supportedSASLMechanisms
Jul 27 01:50:43 orange slapd[61641]:  
Jul 27 01:50:43 orange slapd[61641]: send_ldap_result: err=0 matched=""
text="" 
Jul 27 01:50:44 orange slapd[61641]: connection_get(12) 
Jul 27 01:50:44 orange slapd[61641]: ==> sasl_bind: dn="" mech=GSSAPI
datalen=542 
Jul 27 01:50:44 orange slapd[61641]: GSSAPI Failure:
gss_accept_sec_context
Jul 27 01:50:44 orange slapd[61641]: send_ldap_result: err=49 matched=""
text="SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context" 
Jul 27 01:50:44 orange slapd[61641]: connection_get(12)

  also, Kerberos logs show:

2003-07-27T02:50:44 TGS-REQ lewiz@LEWIZ.ORG from IPv4:192.168.0.2 for
ldap/orange.lewiz.org@LEWIZ.ORG

so the ticket is definitely being checked, or something like that.
Furthermore, I have ldap/orange.lewiz.org in the keytab slapd is running
on.

  I've been unable to find much detail on the error (in fact, it doesn't
even appear to be an error) and /any/ help would be greatly appreciated!
Thanks very much,

-lewiz.

-- 
If you took all the students that felt asleep in class and laid them
end to end, they'd be a lot more comfortable.
		-- "Graffiti in the Big Ten"
------------------------------------------------------------------------
-| msn:purple@lewiz.net | jab:lewiz@jabber.org | url:http://lewiz.net |-

Attachment: pgpZSyLn5C34i.pgp
Description: PGP signature