[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fw: SASL Bind errors with OpenLDAP

Dear All,
I have now identified the problem.
The solution is to ensure that there is a symbolic link from /etc to wherever the krb5.conf file resides, in this case /usr/local/etc/krb5.conf.  Although the error message is unhelpful this cured the problem.

Russell Seymour
----- Original Message -----
Sent: Wednesday, September 17, 2003 10:21 AM
Subject: SASL Bind errors with OpenLDAP

Good morning list,
I have been working on implementing an OpenLDAP solution for quite a while now and everything was working OK.  However I have had cause to recompile all my software due to some problems I had when I installed a Solaris 8 Patch Cluster which broke all the OpenLDAP stuff.
The following packages are installed in /usr/local:
    MIT Kerberos (1.2.8)
    Cyrus-SASL (2.1.15) (with a symlink to /usr/local/lib/sasl2 in /usr/lib)
    OpenLDAP (2.1.22)
Berkerkley DB is installed in /usr
I have now got everything up and running again, e.g. Kerberos & OpenLDAP and I can get tickets from the Kerberos server.  I can also check the mechanisms that the LDAP server is supporting (which includes GSSAPI), however I have an annoying problem that I hope someone might be able to point me in the right direction with.
When I run ldapsearch with an SASL bind I get the following error:
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
            additional info: SASL (-1): generic failure: GSSAPI Failure (could not get major error message)
As you can see it is not very easy to understand what is going on here due to the lack of error message.
In addition to this, when I am running slapd in debug mode I can see the following:
    do_sasl_bind: dn () mech GSSAPI
    SASL [conn=1] Failure: GSSAPI Failure (could not get major error message)
I have through all the settings and everything appears to be correct, e.g. server names and ports etc.  One interesting thing is that before I have been able to see the Kerberos ticket translated into an LDAP DN (through the regexp in the slapd.conf file) but I am now not seeing this.  I do not know if this is related or not.
Has anyone got any ideas on this one?  I would be most grateful for anything (getting the error message would be a start).
Thanks very much in advance.

Russell Seymour