[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)



On 05/07/11 17:52 +0200, Fabien COMBERNOUS wrote:
Hi There,

I have an openldap master (hosted by server) and an openldap replica (hosted by replica). Authentication use SASL/GSSAPI with kerberos.

On the master i get the following output :
server:~ admin$ kinit root
Please enter the password for root@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)

What does your /etc/ldap.conf and ~/.ldaprc look like?

You might try adding a '-d -1' to your ldapsearch command for additional
debugging information.

What does you credentials cache look like after running the ldapsearch? Did
you receive an ldap service ticket for the replica server? Are you sure
you're referencing the replica by name, and not by IP address in your
ldap.conf?

Do you see any additional errors in your local auth-facility syslog file?
Do you see anything relevant in the syslog of your Kerberos server?

On the replica all looks fine :
replica:~ admin$ kinit root
Please enter the password for root@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
SASL username: root@SERVER.LAN
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=mounts,dc=server,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
etc ...

I saw some thread on mailing list that say to take care of owner, groups and permissions of files krb5.keytab and database. All looks good in this side.

Any other areas to check ?

--
Dan White