[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite

I have both those files, however, not sure if the permissions are set correctly:

frisbee# ls -l /etc/krb5*
-rw-r--r--  1 root  wheel  128 Aug  7 14:09 /etc/krb5.conf
-rw-------  1 root  wheel  286 Aug  7 16:01 /etc/krb5.keytab

As far as the keytab files goes, I used this to create it:

frisbee# kadmin -l
kadmin> ext ldap/frisbee.crazy.lan
kadmin> exit

Just to clarify, ldap and kerberos are running on the same machine (frisbee.crazy.lan).

Also here's the contents of krb5.conf just to catch any errors you may find:

frisbee# cat /etc/krb5.conf
    default_realm = CRAZY.LAN

    kdc = 0/FILE:/var/log/kdc.log
    kdc = 1-/SYSLOG:INFO:USER
    default = STDERR

I have the proper DNS settings for kerberos, here's my BIND setup:

frisbee        IN    A
_kerberos._udp    IN    SRV    01 00 88 frisbee.crazy.lan.
_kerberos._tcp     IN    SRV    01 00 88 frisbee.crazy.lan.
_kpasswd._udp    IN    SRV    01 00 464 frisbee.crazy.lan.
_kerberos-adm._tcp IN    SRV    01 00 749 frisbee.crazy.lan.
_kerberos    IN    TXT    CRAZY.LAN

On Tue, Aug 11, 2009 at 4:42 PM, Howard Chu <hyc@symas.com> wrote:
Dieter Kluenter wrote:
Allan<cr4z3d@gmail.com>  writes:

Seems like slapd is linked to gssapi and sasl. Are there simply command line
options I'm missing to start up slapd?

frisbee# ldd /usr/local/libexec/slapd
    libldap_r-2.4.so.6 =>  /usr/local/lib/libldap_r-2.4.so.6 (0x2820b000)
    liblber-2.4.so.6 =>  /usr/local/lib/liblber-2.4.so.6 (0x28250000)
    libdb-4.6.so.0 =>  /usr/local/lib/libdb-4.6.so.0 (0x2825d000)
    libsasl2.so.2 =>  /usr/local/lib/libsasl2.so.2 (0x28385000)
    libgssapi.so.9 =>  /usr/lib/libgssapi.so.9 (0x2839c000)

This seem to be different libraries than the sasl libraries, as below:


These usually are dynamically loaded by libsasl2, so they would never be directly linked into the slapd (or any other) binaries.

Most likely the gssapi plugin is not initializing itself, maybe because there is no krb5.conf file, or because there is no keytab with slapd's key inside, or the files are not readable by slapd, etc...

 -- Howard Chu
 CTO, Symas Corp.           http://www.symas.com
 Director, Highland Sun     http://highlandsun.com/hyc/
 Chief Architect, OpenLDAP  http://www.openldap.org/project/