[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with SASL: No principal in keytab matches desired name

To: <openldap-software@OpenLDAP.org>
Subject: Re: OpenLDAP with SASL: No principal in keytab matches desired name
From: <rodolfo@ime.unicamp.br>
Date: Thu, 23 Dec 2004 00:05:08 -0200 (BRST)
Importance: Normal
In-reply-to: <1103733877.25095.43.camel@d80h243>
References: <41C99BFE.8070107@ime.unicamp.br> <1103733877.25095.43.camel@d80h243>

YESSSS!!! That was it!!!  It's working fine now!!

Thank you very much!! :D

# ldapsearch -h localhost -b "dc=teste,dc=com" -LLL uid=rodolfo

SASL/GSSAPI authentication started
SASL username: rodolfo@ROOT.IME.UNICAMP.BR
SASL SSF: 56
SASL installing layers
dn: uid=rodolfo,ou=People,dc=teste,dc=com
uid: rodolfo
cn: Rodolfo Broco Manin
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /tmp
gecos: Rodolfo Broco Manin
description: Usuario local de teste
sn: Manin
userPassword:: **********

[]s!
Rodolfo


> When starting slapd, try adding the environment variable to specify the
> keytab file (below).  I believe srvtab was for Krb4 authentication.
>
> KRB5_KTNAME=/etc/ldap.keytab /path/to/slapd ....
>
> -Matt
>
> On Wed, 2004-12-22 at 11:08, Rodolfo Broco Manin wrote:
>> Hi, All!
>>
>> We are using OpenLDAP + Kerberos to perform user validation here, and
>> now I need to enable OpenLDAP's SASL authentication (to use with Cyrus
>>  IMAP and QMail).  I'm testing it with OpenLDAP (2.2.13 - Fedora Core
>> 3),  but, when I try to perform a search - like:
>>
>> # ldapsearch -h my.host.name -Y GSSAPI
>>
>> (after doing a kinit), I get the message:
>>
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
>> (80)
>>         additional info: SASL(-1): generic failure: GSSAPI Error:
>> Miscellaneous failure (No principal in keytab matches desired name)
>>
>> Question is: what principal is missing??   I tryed running slapd with
>> various debug flags, but is says only:
>>
>> conn=0 fd=10 ACCEPT from IP=143.106.77.85:33134 (IP=0.0.0.0:389)
>> conn=0 op=0 BIND dn="" method=163
>> SASL [conn=0] Failure: GSSAPI Error: Miscellaneous failure (No
>> principal  in keytab matches desired name)
>> conn=0 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure:
>> GSSAPI  Error: Miscellaneous failure (No principal in keytab matches
>> desired name) conn=0 fd=10 closed
>>
>> My /usr/lib/sasl2/slapd.conf has only one line:
>>
>> auxprop_plugin: slapd
>>
>> and I _do_ have a ldap/my.host.name at my keytab:
>>
>> # ktutil
>> ktutil:  rkt /etc/openldap/slapd.keytab
>> ktutil:  l
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>>    1    4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>>    2    4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>>    3    4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>>    4    4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
>> ktutil:
>>
>> (the "srvtab" parameter at my slapd.conf points to the file above)
>>
>> This host is DNS-resolving itself fine in both direct and reverse
>> ways,  and I'm running slapd as root (for tests).   Using ldapsearch
>> with  simple auth works file (with and without TLS).   I have
>> saslauthd  running (and it is working with testsaslauthd, and with
>> sasl-sample-server/client, using GSSAPI mech.)
>>
>> The slapd.conf I'm using looks like this:
>>
>> ----------------------------------------------------------------
>> include         /etc/openldap/schema/core.schema
>> include         /etc/openldap/schema/cosine.schema
>> include         /etc/openldap/schema/inetorgperson.schema
>> include         /etc/openldap/schema/nis.schema
>> allow bind_v2
>>
>> pidfile         /var/run/slapd.pid
>> argsfile        /var/run/slapd.args
>>
>> TLSCACertificateFile /usr/share/ssl/certs/cacert.pem
>> TLSCertificateFile /usr/share/ssl/certs/myhost.pem
>> TLSCertificateKeyFile /usr/share/ssl/certs/myhost.key
>>
>> sasl-host damasco.ime.unicamp.br
>> srvtab /etc/openldap/slapd.keytab
>> sasl-regexp UID=([^,]*),CN=.* UID=$1,OU=People,DC=teste,DC=com
>>
>> # FOR TEST ONLY!
>> access to * by * write
>>
>> database        bdb
>> suffix          "dc=teste,dc=com"
>> rootdn          "cn=boss,dc=teste,dc=com"
>> rootpw                  teste
>>
>> directory       /var/lib/ldap
>>
>> index objectClass                       eq,pres
>> index ou,cn,mail,surname,givenname      eq,pres,sub
>> index uidNumber,gidNumber,loginShell    eq,pres
>> index uid,memberUid                     eq,pres,sub
>> index nisMapName,nisMapEntry            eq,pres,sub
>> ----------------------------------------------------------------
>>
>> Btw, after running ldapsearch, klist shows me a service principal, in
>> addition to my own one:
>>
>> # klist
>> Credentials cache: /tmp/krb5cc_0
>>
>> Default principal: me@ROOT.IME.UNICAMP.BR, 2 entries found.
>>
>> [1]  Service Principal:
>> krbtgt/ROOT.IME.UNICAMP.BR@ROOT.IME.UNICAMP.BR
>>      Valid starting:  Dec 22,  2004 12:39
>>      Expires:         Dec 23,  2004 12:39
>> [2]  Service Principal:  ldap/my.host.name@ROOT.IME.UNICAMP.BR
>>      Valid starting:  Dec 22,  2004 12:39
>>      Expires:         Dec 23,  2004 12:39
>>
>> This thing is really getting me crazy...
>>
>> Some hint??
>>
>> Thanks in advice!!
> --
> Matthew J. Smith <matt.smith@uconn.edu>
> University of Connecticut ITS
> PGP Key: http://web.uconn.edu/dotmatt/matt.asc

References:
- OpenLDAP with SASL: No principal in keytab matches desired name
  - From: Rodolfo Broco Manin <rodolfo@ime.unicamp.br>
- Re: OpenLDAP with SASL: No principal in keytab matches desired name
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>

Prev by Date: Special character
Next by Date: Re: open LDAP query slow for 5k users only (each having 40 entries)
Index(es):
- Chronological
- Thread