Authenticate to ldap using Kerberos

[Wouter van Marle <wouter@squirrel-systems.com>]

Hi group,

I have been fighting the whole day already for something that I think 
is quite simple but I just can't get it to work: have slapd 
authenticate users against kerberos. Following many tutorials, trying 
many things, I give up on that and ask for your help.

System: Debian Lenny.

Situation:
- workstation logins over the network authenticate against kerberos
- credentials from LDAP
- postfix has its alias database etc in LDAP, as are the groups and 
userIDs and everything - helps keeping uids the same on the 
workstations. Essential for NFS.
- anything using pam will be authenticated against kerberos, including 
imap, postfix, etc.

Except LDAP. Then slapd authenticates by itself against the password 
stored there. And that's not what I want. There should be no passwords 
in LDAP any more, everything against kerberos. Then at least when a 
user changes their kerberos password, the same password is used 
everywhere. I just can't get this to work for some reason. I have 
followed many tutorials, so many that I forgot what I did, and it still 
doesn't work.

Slapd should use pam to authenticate, or directly talk to the kerberos 
server, whatever.

saslauthd has the gssapi module installed.

I have created an ldap/acorn.squirrel@SQUIRREL key, and added this 
keytab in /etc/defaults/slapd. acorn.squirrel is the fqdn of the 
server, SQUIRREL is its kerberos realm.

My clients all run Ubuntu 10.04 LTS (a nice desktop but shitty to get 
kerberos/ldap authentication work on amongst other griefs).

Current situation after all the hacking:
$ ldapwhoami -x -D 'uid=wouter,ou=people,dc=squirrel' -W -h 
acorn.squirrel
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
when entering my Kerberos password; it accepts my credentials when I 
enter the LDAP stored password (a different password).

Then I just did:
=======================
wouter@acorn:~$ ldapsearch -LLL -s base -b '' '(objectClass=*)' +
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
error (80)
wouter@acorn:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_5lYS4w
Default principal: wouter@SQUIRREL

Valid starting     Expires            Service principal
09/08/10 22:42:07  09/09/10 08:42:07  krbtgt/SQUIRREL@SQUIRREL
        renew until 09/09/10 22:42:07
09/08/10 22:46:39  09/09/10 08:42:07  ldap/acorn.squirrel@SQUIRREL
        renew until 09/09/10 22:42:07


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
=======================

OK it seems ldap gets it's ticket. Issued the moment I ran the above 
command.
Still I get the bind error.
But for some reason I do not have a ticket myself, interesting. Running 
kinit doesn't solve this strangely enough, on the workstations it does 
give me a ticket.
And running kinit kills the ldap ticket. Appears strange to me.

Any ideas?
I probably miss something very simple... it shouldn't be that hard to 
have slapd get its credentials from kerberos!

Thanks!

Wouter.