[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open ldap with SASL & GSSAPI

Maxwell Bottiger wrote:
Hello all,

	I've found lots of information about problems related to mine in the
FAQ and around the net, but I don't have a solution yet.  Here's my

Open Ldap 2.2
MIT Kerberos
SASL 2.1.20

MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal is known to work well. On the client side, either one will work, but generally I would recommend using Heimdal.

I'm using ldap to provide directory services and user info to some linux
workstations.  This was working, but after upgrading a test machine to
Fedora 6 I've started having some serious problems.

[sleepylight@minitop ~]$  ldapsearch -H ldap://ns.jive-turkey.net -Y
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

I figure this is one of three possible problems. 1 - saslauthd isn't working right

SASL-enabled servers don't talk to saslauthd to perform GSSAPI authentication, so that is out of the equation.

2 - ldap isn't talking to sasl correctly


3 - I've done something wrong with my ldap quires.


Kerberos seems to work fine. I can get my credentials with kinit, and the GSSAPI credentials are working for ssh logins. Also, I can use testsaslauthd and get a success from the authd server.

Since you say kinit works, what tickets does klist show you having?

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/