Re: [Solved] AW: Re: AW: Re: AW: Re: SASL bind with Kerberos: (was: Simple binds with SASL/GSSAPI (Resource temporarily unavailable))

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday 10 September 2008 21:16:29 Hauke Coltzau wrote:
> Hi all,
>
> Wow, it seems to be done ;-)
>
> To put it in a nutshell:
>
> - apt-get purge MIT-Kerberos*
> - apt-get install Heimdal*
> - tried and failed, tried and failed, ...
>
> - apt-get purge heimdal*, cyrus*, openldap*
> - apt-get libssl-dev and libdb dev packages
> - got cyrus, openldap and heimdal tarballs
> - configured, compiled, tested, failed, configured, compiled,
>   tested, failed, conf.......... ...... ......
>   ... --- ... ... --- ...
>   configured, compiled, succeeded!
> - Followed well known configuration instructions

This was most likely the key ...

> Voila!
>
> ldapsearch -Y GSSAPI works
>
> ldaps works
>   (without client verification, did not solve that yet,
>    server verification works fine)
>
> login with kerberos authentication works
>   (with proxy ticket for the machine, this way I
>   avoid having PLAIN username/password send to slapd)
>
> su, id, etc. works
>
> Seems, as if doing it by hand is still the best way ;-)

Funny, but it works out-the-box on Mandriva ...

BTW, I found that sometimes you need to look at the KDC logs to see what is 
happening on the Kerberos side (e.g., you may have reverse DNS records wrong, 
which would show up in the KDC logs etc.).

Regards,
Buchan