[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: stumped: setting up SASL+GSSAPI

I should have added that. I'm writing in part because 

	a) I followed the doc/gssapi.html examples 


	b) I get a "local error" in the GSSAPI code, which that 
document indicates could be just about anything on the GSSAPI side

I moved to trying LDAP just in case it was a misconfiguration of that
particular combo on my part. It seems instead to be systemic.

I mailed the author of that document and have not heard back, so 
I was looking for any additional guidance. I'm at the point of 
downloading and installing DDD and trying my best to debug it, but
since I don't know EITHER body of code, I'm not optimistic about that.


> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Saturday, September 30, 2000 11:16 AM
> To: kyle.downey@amberarcher.com
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: stumped: setting up SASL+GSSAPI
> Do you have the Cyrus SASL sample client and server working?
> See the Cyrus SASL doc/gssapi.html for assistance.
> At 08:51 AM 9/30/00 -0400, Kyle Downey wrote:
> >Okay, I've been banging my head against Kerberos and OpenLDAP 
> for the last
> >week, and I declare utter defeat. Learned more about Kerberos 
> than I wanted
> >to know along the way, and successfully Kerberized my Linux box 
> (telnet etc.
> >now use GSSAPI to authenticate). I'm working on a (LONG!) HOWTO 
> that I plan
> >to contribute when done, but though I'm almost there, I still 
> can't get it
> >to authenticate. For example, if I enter:
> >
> >kinit [ enter username and password; log into Kerberos ]
> >ldapsearch -I
> >
> >it prompts me for my username, then says
> >
> >ldap_sasl_interactive_bind_s: Can't contact LDAP server
> >
> >which is not true, because "ldapsearch -x" (plain 
> authentication) works just
> >fine--the LDAP server is up and functioning. Furthermore, if I 
> do a klist, I
> >can see GSSAPI added the credentials for 
> "ldap@horatio.amberarcher.com" to
> >my local ticket cache, so Kerberos successfully logged me in.
> >
> >Here's my config:
> >
> >* vanilla Red Hat Linux 6.1
> >* Kerberos 5-1.1 configured with --enable-shared --without-krb4
> >* Cyrus  SASL 1.5.24 configured with --disble-krb4 --enable-gssapi
> >    --disable-cram --disable-digest
> >* OpenLDAP 2.0.4 configured
> >with --with-cyrus-sasl --with-tls --enable-spasswd
> >    --enable-aci
> >
> >I've started krb5kdc and slapd, and the KDC has a principal and 
> keytab entry
> >for "host/horatio.amberarcher.com" and 
> "ldap/horatio.amberarcher.com" (else
> >it would not have gotten so far as to authenticate). I think I'm 
> very close
> >to getting this to work, so I appreciate any help you can give me!
> >
> >FYI, I tried recompiling Cyrus SASL with its own debug flag set 
> in config.h
> >to produce more debugging information, but since it does succeed (debug
> >prints "GSS_S_COMPLETE" right before it bombs out), I'm not sure the
> >problem's there. I turned on debugging with -d 5 on ldapsearch, 
> and didn't
> >find out anything useful. I tried going through the code and 
> (because my C's
> >rusty) could not even find the exact spot where it's printing 
> that message!
> >
> >Thanks in advance.
> >
> >regards,
> >kd
> >
> >
> >
> >_____NetZero Free Internet Access and Email______
> >   http://www.netzero.net/download/index.html

____________NetZero Free Internet Access and Email_________
Download Now     http://www.netzero.net/download/index.html
Request a CDROM  1-800-333-3633