[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open ldap with SASL & GSSAPI

Howard Chu wrote:
Maxwell Bottiger wrote:
Hello all,

    I've found lots of information about problems related to mine in the
FAQ and around the net, but I don't have a solution yet.  Here's my

Open Ldap 2.2
MIT Kerberos
SASL 2.1.20

MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal is known to work well. On the client side, either one will work, but generally I would recommend using Heimdal.

I'm using ldap to provide directory services and user info to some linux
workstations.  This was working, but after upgrading a test machine to
Fedora 6 I've started having some serious problems.

[sleepylight@minitop ~]$  ldapsearch -H ldap://ns.jive-turkey.net -Y
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

I figure this is one of three possible problems. 1 - saslauthd isn't working right

SASL-enabled servers don't talk to saslauthd to perform GSSAPI authentication, so that is out of the equation.

2 - ldap isn't talking to sasl correctly


3 - I've done something wrong with my ldap quires.


Kerberos seems to work fine. I can get my credentials with kinit, and the GSSAPI credentials are working for ssh logins. Also, I can use testsaslauthd and get a success from the authd server.

Since you say kinit works, what tickets does klist show you having?

Quite apart from all of this, running Fedora FC6 (a highly experimental and inherantly buggy release) in production is simply courting trouble. MIT KerberosV and OpenLDAP 2.3 work perfectly well on RHAS4 (with the intrinsic limitations that KerberosV has, and they are many), though as Quanah points out, it could be slower than Heimdal. Using Heimdal on any Red Hat system is a dead duck because of built-in program conflicts. Been there, done that ...


tonni at barlaeus.nl
Tony Earnshaw