[Date Prev][Date Next]
Re: open ldap with SASL & GSSAPI
Howard Chu wrote:
Maxwell Bottiger wrote:
I've found lots of information about problems related to mine in the
FAQ and around the net, but I don't have a solution yet. Here's my
Open Ldap 2.2
MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal
is known to work well. On the client side, either one will work, but
generally I would recommend using Heimdal.
I'm using ldap to provide directory services and user info to some linux
workstations. This was working, but after upgrading a test machine to
Fedora 6 I've started having some serious problems.
[sleepylight@minitop ~]$ ldapsearch -H ldap://ns.jive-turkey.net -Y
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
I figure this is one of three possible problems.
1 - saslauthd isn't working right
SASL-enabled servers don't talk to saslauthd to perform GSSAPI
authentication, so that is out of the equation.
2 - ldap isn't talking to sasl correctly
3 - I've done something wrong with my ldap quires.
Kerberos seems to work fine. I can get my credentials with kinit, and
the GSSAPI credentials are working for ssh logins. Also, I can use
testsaslauthd and get a success from the authd server.
Since you say kinit works, what tickets does klist show you having?
Quite apart from all of this, running Fedora FC6 (a highly experimental
and inherantly buggy release) in production is simply courting trouble.
MIT KerberosV and OpenLDAP 2.3 work perfectly well on RHAS4 (with the
intrinsic limitations that KerberosV has, and they are many), though as
Quanah points out, it could be slower than Heimdal. Using Heimdal on any
Red Hat system is a dead duck because of built-in program conflicts.
Been there, done that ...
tonni at barlaeus.nl