[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/GSSAPI authentication problems - Invalid credentials

To: openldap-software@OpenLDAP.org
Subject: SASL/GSSAPI authentication problems - Invalid credentials
From: Ben Poliakoff <benp@reed.edu>
Date: Mon, 28 Apr 2003 16:33:37 -0700
Content-disposition: inline
User-agent: Mutt/1.4.1i

I wrote to the list last month describing some trouble I've been having
getting proper SASL/GSSAPI authentication to work with a new OpenLDAP
installation.  Unfortunately I haven't made a lot of headway since then.

In a nutshell:

    openldap-2.1.16
    cyrus-sasl-2.1.12
    db-4.1.25
    heimdal-20030224

Non SASL anonymous binds work just fine (lookups from various
addressbooks and from GQ are very quick and trouble free), but when I
try to do a SASL bind (via ldapwhoami for instance) I get the following:

    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Invalid credentials (49)
            additional info: SASL(-13): authentication failure: GSSAPI
    Failure: gss_accept_sec_context

slapd is running as root currently, so it has access to /etc/krb5.keytab
(which contains a principal with the correct kvno for the host).  The
client (in this case ldapwhoami) gets a service ticket for that
principal, but fails with the above error.

My openldap ldap.conf file is pretty simple:

    BASE    dc=reed,dc=edu
    ldap://thingone.reed.edu
    SIZELIMIT       700
    TIMELIMIT       150
    DEREF           never

My slapd.conf sasl configs look like this:

    srvtab          /etc/krb5.keytab
    sasl-realm      REED.EDU
    sasl-host       thingone.reed.edu

    sasl-regexp
            "uid=\(.*\),cn=reed.edu,cn=gssapi,cn=auth"
            "uid=$1,ou=Person,dc=reed,dc=edu"

I've run slapd with -5 debug which generated a lot of info, but I'm not
sure it would be good etiquette to attach that to this message since
it's rather large.

I'm really looking foward to doing a lot of work with OpenLDAP, but for
now I stuck since I can't authenticate....

Does anyone have any suggestions about how I might further pursue this
problem?  Would this be a better question for the sasl list?

Ben

P.S.  Will summarize in detail when this problem is resolved.

-- 
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp@reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

Attachment: pgpKcEmUuqBox.pgp
Description: PGP signature

Follow-Ups:
- Re: SASL/GSSAPI authentication problems - Invalid credentials
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: SASL/GSSAPI authentication problems - Invalid credentials
  - From: Chris Maxwell <source@gateweaver.com>
- Re: SASL/GSSAPI authentication problems - Invalid credentials
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: Schema's
Next by Date: Slapd Error
Index(es):
- Chronological
- Thread