[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP with GSSAPI problem



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Shaick

> Hello Kent,
>
> It is a typo and i have corrected that as,
>
> sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
>                         ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM)
>
> But still have receive the same error.
>
> # ./ldapsearch -Y GSSAPI -U s001 -b "dc=team,dc=com"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure:
> GSSAPI Failure
>
>
> Please confirm me that the STEPS and configuration are
> correct, if yes i
> will try the openldap with MIT Kerberos.

The error message you're receiving says that GSSAPI itself has failed; this
has nothing to do with the sasl-regexp at all. Kent's advice has absolutely
nothing to do with the problem you're seeing.

As I already stated - saslRegexp mapping is a purely optional step. Whether
it succeeds or fails will have no bearing on whether SASL/GSSAPI will succeed
or fail. (It will affect the outcome of SASL/DIGEST-MD5 and other
password-based mechanisms, since the password must be retrieved from the
entry matching the SASL DN. But since GSSAPI/Kerberos authentication is
completely outside of LDAP and SASL, there's simply no relevance here.)

The error message you're getting starts with "SASL(xx):" which means the
error you're getting came from the SASL library. This is not an error coming
from slapd itself. You need to check to see if your SASL installation is
properly configured, as well as checking to see if your Kerberos installation
is correct. It's unfortunate that the error message isn't any more detailed,
but that's all that the SASL library is telling us, so we can't provide any
more detail than that. If you want better diagnostics here, file a bug report
with the Cyrus SASL project.

As always, make sure you can get the Cyrus sample client and server working
before you attempt to use SASL with OpenLDAP. In the case of GSSAPI, make
sure your other Kerberized servers work first. Generally things fail here
because:
  1) slapd doesn't have access to the Kerberos keytab
  2) the LDAP service key isn't present in the Kerberos keytab
  3) the Kerberos realm that slapd is set for doesn't match the client's
realm

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support