[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberized LDAP not accessible

On 21/01/11 17:51 +0100, Thomas Schweikle wrote:
Am 21.01.2011 17:17, schrieb Dan White:
On Debian based systems, it's renamed as saslpluginviewer. It's located
in the sasl2-bin package. The GSSAPI mechanism is installed in one of:


Package sasl2-bin wasn't installed, libsasl2-modules-gssapi-mit was.
Now I have:

Plugin "gssapiv2" [loaded],     API version: 4
       SASL mechanism: GSSAPI, best SSF: 56
       security flags:

#ldapsearch -LLL -x -H ldap://srv.example.com -s "base" -b ""
supportedSASLMechanisms: GSSAPI

#ldapsearch -Y GSSAPI -LLL -H ldap://srv.example.com -s "base" -b ""
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
error (80)
       additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information
(Permission denied)

Within the credentials cache:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@XOMPU.DE

Valid starting     Expires            Service principal
01/21/11 11:32:03  01/21/11 21:32:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 01/22/11 11:31:58
01/21/11 16:20:04  01/21/11 21:32:03  host/srv.example.com@EXAMPLE.COM
       renew until 01/22/11 11:31:58
01/21/11 16:46:15  01/21/11 21:32:03  ldap/srv.example.com@EXAMPLE.COM
       renew until 01/22/11 11:31:58

I keep getting Permission Denied errors.

That error (Permission denied) may be generated by the server. Verify that
the keytab file you're using is readable by the openldap user or group.

Dan White