[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Need SASL idiot-proof walkthrough

I have done the sample-server and sample-client and successfully got to the
"Negotiation complete" part.  But OpenLDAP is still giving me problems:

do_sasl_bind: dn () mech GSSAPI
SASL [conn=32] Failure: GSSAPI Error: Miscellaneous failure (see text)
(Decrypt integrity check failed)

The sasl tests work, kinit works, ???  I'm not sure what the problem could
be.  I do have an entry for dn: uid=digant,cn=people,dc=uta,dc=edu and my
slapd.conf file has the following:

(I do notice that the bind dn is "" which makes me think my sasl-regexp is

sasl-realm "KERB.UTA.EDU"
sasl-host labrador.kerb.uta.edu
sasl-regexp uid=(.*),cn=kerb.uta.edu,cn=gssapi,cn=auth

-----Original Message-----
From: Quanah Gibson-Mount
To: Digant Kasundra; 'openldap-software@openldap.org'
Sent: 3/26/2004 11:16 AM
Subject: Re: Need SASL idiot-proof walkthrough

--On Friday, March 26, 2004 10:21 AM -0600 Digant Kasundra

> Hello everyone,
> So far, no one has been able to decipher my SASL problem from my
> of log files and conf files etc.  I have even cleanly reinstalled my
> machines. There is something basic and simple and stupid that I must
> missing.  Can someone please give me a step-by-step walkthrough based
> the following information so I could make doubly sure that I am doing
> things properly?
> I have a KDC (running MIT KRB) on labrador.kerb.uta.edu.  I have an
> OpenLDAP 2.2.7 box running on omicron.kerb.uta.edu. I have a realm
> KERB.UTA.EDU.  I have a user dn: uid=digant,cn=people,dc=uta,dc=edu.
> An idiot-proof walkthrough would really help and I *KNOW* that's
asking a
> lot out of people and I wholely apologize for that.  I've done it on
> own and no one can see a problem with the way I did it but it still
> doesn't work.  So if someone can give me a step by step on which
> principals to create, what entry to create in the LDAP and what to put
> the slapd.conf (and any other important steps), I promise I will buy
> a pizza!


Have you compiled the test server/client that comes with Cyrus-SASL to 
verify that it authenticates correctly via GSSAPI at that level?

See this link:



Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html