[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap/Sasl/GSSAPI on Debian: Key table entry not found

On 01/17/12 21:45 +0200, Toomas Vendelin wrote:
The goal: to make an OpenLDAP server to authenticate using Kerberos V via GSSAPI

Setup: several virtual machines running on freshly installed/updated
Debian Squeeze

A master KDC server


A LDAP server, running OpenLDAP


The problem:

tom@ldap:~$ ldapsearch -b 'dc=example,dc=com'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
   additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Key
table entry not found)

One might suggest to add that keytab entry, but:

ktutil:  rkt /etc/ldap/ldap.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
  1    2        ldap/ldap.example.com@EXAMPLE.COM
  2    2        ldap/ldap.example.com@EXAMPLE.COM
  3    2        ldap/ldap.example.com@EXAMPLE.COM
  4    2        ldap/ldap.example.com@EXAMPLE.COM

So, the entry as suggested by the OpenLDAP manual is there allright.
Deleting and re-creating both service principal and the keytab on
ldap.example.com didn't help, I get the same error. And before I make
the keytab file readable by openldap, I get "Permission denied" error
instead of the one in the subject. Which implies that the right keytab
file is being accessed, as set in /etc/default/slapd.

I have my doubts about the following part of slapd config:

root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#"
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11
olcSaslHost: kdc.example.com

I think you'll find that libsasl2 is searching for ldap/kdc.example.com in
your credentials cache. Try changing this to:

olcSaslHost: ldap.example.com

olcSaslRealm: EXAMPLE.COM
olcSaslSecProps: noplain,noactive,noanonymous,minssf=56
olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth"

A HOWTO at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication

   Also, it is frequently necessary to map the Distinguished Name
(DN) of an authorized Kerberos client to an existing entry in the DIT.

I fail to understand where in the tree this should be defined, what
schema should be used, etc. After hours of googling, it's official:
I'm stuck! Please, help.

When I was learning how to map entries, I found ldapwhoami to be very
useful. As an example, you might see this *before* creating any authz-regex

$ ldapwhoami -Y gssapi -H ldap://ldap.example.com
SASL/GSSAPI authentication started
SASL username: ...
SASL data security layer installed.

Then, you can create your maps piecemeal wise until your identity becomes
what you really what it to be, e.g.:


See chapter 15 of the openldap administrator's guide for examples, and then
see the manpage for slapd-config for details on how to create the
corresponding olcAuthzRegexp entries.

Dan White