[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with GSSAPI problem



Hello Turbo,

I have added the following line in my ldif file,
objectClass: krb5Principal
krb5PrincipalName: principal@REALM

But still i got the same error,
#  ./ldapsearch -Y GSSAPI -U s001
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure

Is my configuration in slapd.conf is correct?

=======
slapd.conf
========
#sasl-realm         TEAM.COM
sasl-host          krishna.team.com
password-hash   {CLEARTEXT}

access to * by * write
access to * by * read

srvtab /etc/krb5.keytab

sasl-regexp
        uid=(.*),cn=digest-md5,cn=auth
        ldap:///dc=team,dc=com??sub?uid=$1

sasl-regexp
        uid=(.*),cn=cram-md5,cn=auth
        ldap:///dc=team,dc=com??sub?uid=$1

sl-regexp
        uid=(.*),cn=gssapi,cn=auth
        ldap:///dc=team,dc=com??sub?(krb5PrincipalName=$1@REALM)

backend         bdb
database        bdb
suffix          "dc=team,dc=com"
rootdn          "dc=team,dc=com"
rootpw          secret
directory       /etc/openldap/openldap-ldbm1
index   objectClass     eq

#  ./ldapwhoami -Y GSSAPI -U s001 -D "dc=team,dc=com"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure

slapd debug output:
===============
do_sasl_bind: dn (dc=team,dc=com) mech GSSAPI
SASL [conn=1] Failure: GSSAPI Failure
send_ldap_result: conn=1 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush: 63 bytes to sd 11
<== slap_sasl_bind: rc=49
connection_get(11): got connid=1
connection_read(11): checking for input on id=1
ber_get_next
ber_get_next on fd 11 failed errno=0 (Error 0)
connection_read(11): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=11 for close
connection_close: conn=1 sd=11

test.ldif
======
--snip--
dn: cn=shs+uid=s001,dc=team,dc=com
cn: shs
uid: s001
ou: Development
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: krb5Principal
krb5PrincipalName: principal@REALM
facsimileTelephoneNumber: +1 313 764 5140
mail: shs@krishna.team.com
sn: shs
userPassword: {KERBEROS}principal@REALM


Please give your comments and ideas here to get this work.

The Platform details,
1. HP-UX 11.11
2. Default system Kerberos and GSSAPI libraries are used.(If all the
configuration and methods are right then i will try the same thing with MIT
Kerberos,Please confirm is the steps for testing is correct).