[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP with GSSAPI problem



Hello All,
 
I have a problem to work OpenLDAP 2.1.21 with Cyrus-SASL 2.1.10 GSSAPI mechnism.
Can you please give steps how to configure( slapd.conf,ldap.conf,and a sample ldif[if some thing special entries is needed for GSSAPI] )
Note: - The mechanism like CRAM-MD5 and DIGEST-MD5 are working with following configuration.
Here is my configuration for GSSAPI,

slapd.conf:
========
#sasl-realm         TEAM.COM
sasl-host          krishna.team.com
password-hash   {CLEARTEXT}
access to * by * write
access to * by * read
srvtab /etc/krb5.keytab

sasl-regexp
        uid=(.*),cn=digest-md5,cn=auth
       
ldap:///dc=team,dc=com??sub?uid=$1

sasl-regexp
        uid=(.*),cn=cram-md5,cn=auth
       
ldap:///dc=team,dc=com??sub?uid=$1

sl-regexp
        uid=(.*),cn=gssapi,cn=auth
       
ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)

backend         bdb
database        bdb
suffix          "dc=team,dc=com"
rootdn          "dc=team,dc=com"
rootpw          secret
directory       /etc/openldap/openldap-ldbm1
index   objectClass     eq

#  ./ldapwhoami -Y GSSAPI -U s001 -D "dc=team,dc=com"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure

slapd debug output:
===============
do_sasl_bind: dn (dc=team,dc=com) mech GSSAPI
SASL [conn=1] Failure: GSSAPI Failure
send_ldap_result: conn=1 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush: 63 bytes to sd 11
<== slap_sasl_bind: rc=49
connection_get(11): got connid=1
connection_read(11): checking for input on id=1
ber_get_next
ber_get_next on fd 11 failed errno=0 (Error 0)
connection_read(11): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=11 for close
connection_close: conn=1 sd=11
test.ldif
======
--snip--
dn: cn=shs+uid=s001,dc=team,dc=com
cn: shs
uid: s001
ou: Development
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
facsimileTelephoneNumber: +1 313 764 5140
mail:
shs@krishna.team.com
sn: shs
userPassword:
{KERBEROS}principal@REALM

Please give your comments and ideas here to get this work.
 
The Platform details,
1. HP-UX 11.11
2. Default system Kerberos and GSSAPI libraries are used.(If all the configuration and methods are right then i will try the same thing with MIT Kerberos,Please confirm is the steps for testing is correct).

Thanks,
-Shaick.