[Date Prev][Date Next]
Re: mit-krb5 GSSAPI authentication
--On Tuesday, February 21, 2006 2:38 PM +0000 Alan Jones
I'm having trouble with Kerberos authentication on openldap.
I'm on gentoo running openldap-2.2.28-r4, cyrus-sasl-2.1.21-r2,
mit-krb5-1.4.3 and openssl-0.9.7i.
When I run ldapsearch -H ldap://water/ -b dc=fluid I get
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
I've looked at the log and it appears that when sasl_bind is called the DN
I've removed the saslregex from my slapd.conf just to check it wasn't
replacing it with nothing.
The keytab is ldap:ldap 640 and the slapd is run as user ldap. The keytab
is listed in /etc/conf.d/slapd
Does anyone have an idea what would be causing these errors?
Thanks for any help and suggestions.
I'll note a couple of things:
(a) MIT kerberos is magnitudes slower than Heimdal. If you are going to be
using SASL/GSSAPI authorization to OpenLDAP, I suggest using Heimdal if you
want any sort of decent performance from it.
(b) It looks like you need to play with the sample SASL server/client from
Cyrus SASL to get SASL/GSSAPI working before you set up OpenLDAP.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html