[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/GSSAPI problem.

To: "'Lewis Thompson'" <purple@lewiz.info>, <openldap-software@OpenLDAP.org>
Subject: RE: SASL/GSSAPI problem.
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 26 Jul 2003 20:02:40 -0700
Importance: Normal
In-reply-to: <20030727020615.GA6363@lewiz.org>

You have sasl-host ldap.lewiz.org in your slapd.conf, and your TGS request
uses orange.lewiz.org; this can cause some problems as the hostnames don't
match. The only other likely problem is that your keytab is not readable by
the slapd process. Usually it's unnecessary to specify the sasl-host or
sasl-realm in slapd.conf.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lewis Thompson

> Hi,
>
>   I'm fairly new to the world of LDAP/OpenLDAP (as well as
> Kerberos and
> SASL ;) so excuse me if I make a mistake.
>
>   I've setup Kerberos (which works, as far as I can tell -- I
> can get a
> ticket, etc.) and can fully run the cyrus-sasl2
> sample-server/sample-client suite, which is proof it works, I guess.
>
>   When I come to getting OpenLDAP21 to use Kerberos to authenticate, I
> run into trouble.  My directory (for testing) is simple:
>
> dn: dc=lewiz,dc=org
> dc: lewiz
> objectClass: top
> objectClass: domain
>
> dn: ou=People,dc=lewiz,dc=org
> ou: People
> objectClass: top
> objectClass: organizationalUnit
>
> dn: uid=lewiz,ou=People,dc=lewiz,dc=org
> uid: lewiz
> cn: Lewis Thompson
> objectClass: account
> objectClass: top
> objectClass: krb5Principal
> krb5PrincipalName: lewiz@LEWIZ.ORG
>
>   and I also have the following in my slapd.conf:
>
> sasl-realm      LEWIZ.ORG
> sasl-host       ldap.lewiz.org
>
> sasl-regexp
> 	uid=(.*),cn=lewiz.org,cn=gssapi,cn=auth
> 	uid=$1,ou=People,dc=lewiz,dc=org
>
>   As I said, I'm new to this, but I believe the sasl-regexp matches up
> the provided details to the actual entry (from the
> Administration Guide
> (http://www.openldap.org/devel/admin/sasl.html)).
>
>   Anyhow, I can successfully get a ticket with ``kinit
> lewiz'', but when
> I try and do a simple:  ldapsearch -I I receive the following:
>
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
>   In my log file I get the following (loglevel 2):
>
> Jul 27 01:50:42 orange slapd[61641]: connection_get(12)
> Jul 27 01:50:43 orange last message repeated 2 times
> Jul 27 01:50:43 orange slapd[61641]: SRCH "" 0 0
> Jul 27 01:50:43 orange slapd[61641]:     0 0 0
> Jul 27 01:50:43 orange slapd[61641]:     filter: (objectClass=*)
> Jul 27 01:50:43 orange slapd[61641]:     attrs:
> Jul 27 01:50:43 orange slapd[61641]:  supportedSASLMechanisms
> Jul 27 01:50:43 orange slapd[61641]:
> Jul 27 01:50:43 orange slapd[61641]: send_ldap_result: err=0
> matched=""
> text=""
> Jul 27 01:50:44 orange slapd[61641]: connection_get(12)
> Jul 27 01:50:44 orange slapd[61641]: ==> sasl_bind: dn="" mech=GSSAPI
> datalen=542
> Jul 27 01:50:44 orange slapd[61641]: GSSAPI Failure:
> gss_accept_sec_context
> Jul 27 01:50:44 orange slapd[61641]: send_ldap_result: err=49
> matched=""
> text="SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context"
> Jul 27 01:50:44 orange slapd[61641]: connection_get(12)
>
>   also, Kerberos logs show:
>
> 2003-07-27T02:50:44 TGS-REQ lewiz@LEWIZ.ORG from IPv4:192.168.0.2 for
> ldap/orange.lewiz.org@LEWIZ.ORG
>
> so the ticket is definitely being checked, or something like that.
> Furthermore, I have ldap/orange.lewiz.org in the keytab slapd
> is running
> on.
>
>   I've been unable to find much detail on the error (in fact,
> it doesn't
> even appear to be an error) and /any/ help would be greatly
> appreciated!
> Thanks very much,
>
> -lewiz.
>
> --
> If you took all the students that felt asleep in class and laid them
> end to end, they'd be a lot more comfortable.
> 		-- "Graffiti in the Big Ten"
> --------------------------------------------------------------
> ----------
> -| msn:purple@lewiz.net | jab:lewiz@jabber.org |
> url:http://lewiz.net |-
>

Follow-Ups:
- Re: SASL/GSSAPI problem.
  - From: "'Lewis Thompson'" <purple@lewiz.info>

References:
- SASL/GSSAPI problem.
  - From: Lewis Thompson <purple@lewiz.info>

Prev by Date: SASL/GSSAPI problem.
Next by Date: Re: windows version?
Index(es):
- Chronological
- Thread