Hi,
I'm fairly new to the world of LDAP/OpenLDAP (as well as Kerberos and
SASL ;) so excuse me if I make a mistake.
I've setup Kerberos (which works, as far as I can tell -- I can get a
ticket, etc.) and can fully run the cyrus-sasl2
sample-server/sample-client suite, which is proof it works, I guess.
When I come to getting OpenLDAP21 to use Kerberos to authenticate, I
run into trouble. My directory (for testing) is simple:
dn: dc=lewiz,dc=org
dc: lewiz
objectClass: top
objectClass: domain
dn: ou=People,dc=lewiz,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=lewiz,ou=People,dc=lewiz,dc=org
uid: lewiz
cn: Lewis Thompson
objectClass: account
objectClass: top
objectClass: krb5Principal
krb5PrincipalName: lewiz@LEWIZ.ORG
and I also have the following in my slapd.conf:
sasl-realm LEWIZ.ORG
sasl-host ldap.lewiz.org
sasl-regexp
uid=(.*),cn=lewiz.org,cn=gssapi,cn=auth
uid=$1,ou=People,dc=lewiz,dc=org
As I said, I'm new to this, but I believe the sasl-regexp matches up
the provided details to the actual entry (from the Administration Guide
(http://www.openldap.org/devel/admin/sasl.html)).
Anyhow, I can successfully get a ticket with ``kinit lewiz'', but when
I try and do a simple: ldapsearch -I I receive the following:
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
In my log file I get the following (loglevel 2):
Jul 27 01:50:42 orange slapd[61641]: connection_get(12)
Jul 27 01:50:43 orange last message repeated 2 times
Jul 27 01:50:43 orange slapd[61641]: SRCH "" 0 0
Jul 27 01:50:43 orange slapd[61641]: 0 0 0
Jul 27 01:50:43 orange slapd[61641]: filter: (objectClass=*)
Jul 27 01:50:43 orange slapd[61641]: attrs:
Jul 27 01:50:43 orange slapd[61641]: supportedSASLMechanisms
Jul 27 01:50:43 orange slapd[61641]:
Jul 27 01:50:43 orange slapd[61641]: send_ldap_result: err=0 matched=""
text=""
Jul 27 01:50:44 orange slapd[61641]: connection_get(12)
Jul 27 01:50:44 orange slapd[61641]: ==> sasl_bind: dn="" mech=GSSAPI
datalen=542
Jul 27 01:50:44 orange slapd[61641]: GSSAPI Failure:
gss_accept_sec_context
Jul 27 01:50:44 orange slapd[61641]: send_ldap_result: err=49 matched=""
text="SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context"
Jul 27 01:50:44 orange slapd[61641]: connection_get(12)
also, Kerberos logs show:
2003-07-27T02:50:44 TGS-REQ lewiz@LEWIZ.ORG from IPv4:192.168.0.2 for
ldap/orange.lewiz.org@LEWIZ.ORG
so the ticket is definitely being checked, or something like that.
Furthermore, I have ldap/orange.lewiz.org in the keytab slapd is running
on.
I've been unable to find much detail on the error (in fact, it doesn't
even appear to be an error) and /any/ help would be greatly appreciated!
Thanks very much,
-lewiz.
--
If you took all the students that felt asleep in class and laid them
end to end, they'd be a lot more comfortable.
-- "Graffiti in the Big Ten"
------------------------------------------------------------------------
-| msn:purple@lewiz.net | jab:lewiz@jabber.org | url:http://lewiz.net |-
Attachment:
pgpZSyLn5C34i.pgp
Description: PGP signature