[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL woes



On FreeBSD 5.2.1, I am using this doc to try and get SASL auth to work with OpenLDAP 2.1.30. Cyrus-SASL 2.1.18 is using saslauthd setup with Heimdal Kerberos 0.6 and saslauthd is running with the '-a kerberos5' flag. I initialized the realm in Heimdal, exported an ldap service key to /etc/krb5.keytab and set permissions to 'rw------- ldap ldap'. Then using the doc below, entered the sasl setup in slapd.conf:
 
sasl-host       esmtp.webtent.net
sasl-realm      WEBTENT.NET
sasl-regexp
        uid=(.*),cn=webtent.net,cn=gssapi,cn=auth
        uid=$1,ou=People,dc=webtent,dc=net
This is what is happening:
 
esmtp# kadmin -l
kadmin> list *
  robert@WEBTENT.NET
  Manager@WEBTENT.NET
  default@WEBTENT.NET
  imapadm@WEBTENT.NET
  kadmin/admin@WEBTENT.NET
  kadmin/hprop@WEBTENT.NET
  robert/admin@WEBTENT.NET
  kadmin/changepw@WEBTENT.NET
  changepw/kerberos@WEBTENT.NET
  krbtgt/WEBTENT.NET@WEBTENT.NET
  ldap/esmtp.webtent.net@WEBTENT.NET
kadmin> ext_keytab ldap/esmtp.webtent.net
kadmin> quit
esmtp# chown ldap:ldap /etc/krb5.keytab
esmtp# kinit robert
robert@WEBTENT.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
esmtp# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: robert@WEBTENT.NET
 
  Issued           Expires          Principal                  
Apr 24 14:16:25  Apr 25 00:16:25  krbtgt/WEBTENT.NET@WEBTENT.NET
esmtp# ldapsearch -x -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=webtent,dc=net> with scope sub
# filter: uid=robert
# requesting: -LLL
#
 
# Robert Fitzpatrick, People, webtent.net
dn: cn=Robert Fitzpatrick,ou=People,dc=webtent,dc=net
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1
esmtp# ldapsearch -Y GSSAPI -b "ou=People,dc=webtent,dc=net" "uid=robert" -LLL
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Server (krbtgt/WEBENT.NET@WEBTENT.NET) unknown)

I assume there is something major that I am missing, can someone offer what they think it may be?
 
--
Robert