[Date Prev][Date Next]
RE: stumped: setting up SASL+GSSAPI
I should have added that. I'm writing in part because
a) I followed the doc/gssapi.html examples
b) I get a "local error" in the GSSAPI code, which that
document indicates could be just about anything on the GSSAPI side
I moved to trying LDAP just in case it was a misconfiguration of that
particular combo on my part. It seems instead to be systemic.
I mailed the author of that document and have not heard back, so
I was looking for any additional guidance. I'm at the point of
downloading and installing DDD and trying my best to debug it, but
since I don't know EITHER body of code, I'm not optimistic about that.
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Saturday, September 30, 2000 11:16 AM
> To: email@example.com
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: stumped: setting up SASL+GSSAPI
> Do you have the Cyrus SASL sample client and server working?
> See the Cyrus SASL doc/gssapi.html for assistance.
> At 08:51 AM 9/30/00 -0400, Kyle Downey wrote:
> >Okay, I've been banging my head against Kerberos and OpenLDAP
> for the last
> >week, and I declare utter defeat. Learned more about Kerberos
> than I wanted
> >to know along the way, and successfully Kerberized my Linux box
> (telnet etc.
> >now use GSSAPI to authenticate). I'm working on a (LONG!) HOWTO
> that I plan
> >to contribute when done, but though I'm almost there, I still
> can't get it
> >to authenticate. For example, if I enter:
> >kinit [ enter username and password; log into Kerberos ]
> >ldapsearch -I
> >it prompts me for my username, then says
> >ldap_sasl_interactive_bind_s: Can't contact LDAP server
> >which is not true, because "ldapsearch -x" (plain
> authentication) works just
> >fine--the LDAP server is up and functioning. Furthermore, if I
> do a klist, I
> >can see GSSAPI added the credentials for
> "firstname.lastname@example.org" to
> >my local ticket cache, so Kerberos successfully logged me in.
> >Here's my config:
> >* vanilla Red Hat Linux 6.1
> >* Kerberos 5-1.1 configured with --enable-shared --without-krb4
> >* Cyrus SASL 1.5.24 configured with --disble-krb4 --enable-gssapi
> > --disable-cram --disable-digest
> >* OpenLDAP 2.0.4 configured
> >with --with-cyrus-sasl --with-tls --enable-spasswd
> > --enable-aci
> >I've started krb5kdc and slapd, and the KDC has a principal and
> keytab entry
> >for "host/horatio.amberarcher.com" and
> "ldap/horatio.amberarcher.com" (else
> >it would not have gotten so far as to authenticate). I think I'm
> very close
> >to getting this to work, so I appreciate any help you can give me!
> >FYI, I tried recompiling Cyrus SASL with its own debug flag set
> in config.h
> >to produce more debugging information, but since it does succeed (debug
> >prints "GSS_S_COMPLETE" right before it bombs out), I'm not sure the
> >problem's there. I turned on debugging with -d 5 on ldapsearch,
> and didn't
> >find out anything useful. I tried going through the code and
> (because my C's
> >rusty) could not even find the exact spot where it's printing
> that message!
> >Thanks in advance.
> >_____NetZero Free Internet Access and Email______
> > http://www.netzero.net/download/index.html
____________NetZero Free Internet Access and Email_________
Download Now http://www.netzero.net/download/index.html
Request a CDROM 1-800-333-3633