[Date Prev][Date Next] [Chronological] [Thread] [Top]
setting up SASL+GSSAPI

To: "Andrew Houghton" <aah@acm.org>
Subject: setting up SASL+GSSAPI
From: "Kyle Downey" <kyle.downey@amberarcher.com>
Date: Tue, 3 Oct 2000 18:03:52 -0400
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <008401c02bde$0bf58df0$6b46ca3f@desire>
Andrew,

For me the answer was to apply a patch for 2.0.4, for a bug that's described
here (patch URL is at the bottom of the message):

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=791;expression=SASL
;user=guest

Hope that helps. I did manage to get it all working with Kerberos, GSSAPI
and SASL. Very nice, and thanks to
Phil and Kurt for the help.

regards,
kd

> -----Original Message-----
> From: Andrew Houghton [mailto:aah@acm.org]
> Sent: Sunday, October 01, 2000 3:30 PM
> To: kyle.downey@amberarcher.com
> Subject: Re: stumped: setting up SASL+GSSAPI
>
>
> Kyle --
>
> Please let me know if you get this working.  I'm dealing with a slightly
> different problem, but the symptoms are the same;  I'm using
> sasl.db rather
> than kerberos, and I get the same "Can't contact LDAP server" message.
> Everything seems to work fine for me (The GSSAPI client/server test worked
> too, strangely enough.)
>
> Any extra info?  I'm a security / SASL / kerberos newbie, and I'd
> rather not
> have to install kerberos at all.
>
> - a.
>
>
> ----- Original Message -----
> From: "Kyle Downey" <kyle.downey@amberarcher.com>
> To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
> Cc: <openldap-software@OpenLDAP.org>
> Sent: Saturday, September 30, 2000 9:26 AM
> Subject: RE: stumped: setting up SASL+GSSAPI
>
>
> > I should have added that. I'm writing in part because
> >
> > a) I followed the doc/gssapi.html examples
> >
> > and
> >
> > b) I get a "local error" in the GSSAPI code, which that
> > document indicates could be just about anything on the GSSAPI side
> >
> > I moved to trying LDAP just in case it was a misconfiguration of that
> > particular combo on my part. It seems instead to be systemic.
> >
> > I mailed the author of that document and have not heard back, so
> > I was looking for any additional guidance. I'm at the point of
> > downloading and installing DDD and trying my best to debug it, but
> > since I don't know EITHER body of code, I'm not optimistic about that.
> >
> > regards,
> > kd
> >
> > > -----Original Message-----
> > > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> > > Sent: Saturday, September 30, 2000 11:16 AM
> > > To: kyle.downey@amberarcher.com
> > > Cc: openldap-software@OpenLDAP.org
> > > Subject: Re: stumped: setting up SASL+GSSAPI
> > >
> > >
> > > Do you have the Cyrus SASL sample client and server working?
> > > See the Cyrus SASL doc/gssapi.html for assistance.
> > >
> > > At 08:51 AM 9/30/00 -0400, Kyle Downey wrote:
> > > >Okay, I've been banging my head against Kerberos and OpenLDAP
> > > for the last
> > > >week, and I declare utter defeat. Learned more about Kerberos
> > > than I wanted
> > > >to know along the way, and successfully Kerberized my Linux box
> > > (telnet etc.
> > > >now use GSSAPI to authenticate). I'm working on a (LONG!) HOWTO
> > > that I plan
> > > >to contribute when done, but though I'm almost there, I still
> > > can't get it
> > > >to authenticate. For example, if I enter:
> > > >
> > > >kinit [ enter username and password; log into Kerberos ]
> > > >ldapsearch -I
> > > >
> > > >it prompts me for my username, then says
> > > >
> > > >ldap_sasl_interactive_bind_s: Can't contact LDAP server
> > > >
> > > >which is not true, because "ldapsearch -x" (plain
> > > authentication) works just
> > > >fine--the LDAP server is up and functioning. Furthermore, if I
> > > do a klist, I
> > > >can see GSSAPI added the credentials for
> > > "ldap@horatio.amberarcher.com" to
> > > >my local ticket cache, so Kerberos successfully logged me in.
> > > >
> > > >Here's my config:
> > > >
> > > >* vanilla Red Hat Linux 6.1
> > > >* Kerberos 5-1.1 configured with --enable-shared --without-krb4
> > > >* Cyrus  SASL 1.5.24 configured with --disble-krb4 --enable-gssapi
> > > >    --disable-cram --disable-digest
> > > >* OpenLDAP 2.0.4 configured
> > > >with --with-cyrus-sasl --with-tls --enable-spasswd
> > > >    --enable-aci
> > > >
> > > >I've started krb5kdc and slapd, and the KDC has a principal and
> > > keytab entry
> > > >for "host/horatio.amberarcher.com" and
> > > "ldap/horatio.amberarcher.com" (else
> > > >it would not have gotten so far as to authenticate). I think I'm
> > > very close
> > > >to getting this to work, so I appreciate any help you can give me!
> > > >
> > > >FYI, I tried recompiling Cyrus SASL with its own debug flag set
> > > in config.h
> > > >to produce more debugging information, but since it does
> succeed (debug
> > > >prints "GSS_S_COMPLETE" right before it bombs out), I'm not sure the
> > > >problem's there. I turned on debugging with -d 5 on ldapsearch,
> > > and didn't
> > > >find out anything useful. I tried going through the code and
> > > (because my C's
> > > >rusty) could not even find the exact spot where it's printing
> > > that message!
> > > >
> > > >Thanks in advance.
> > > >
> > > >regards,
> > > >kd
> > > >
> > > >
> > > >
> > > >_____NetZero Free Internet Access and Email______
> > > >   http://www.netzero.net/download/index.html
> >
> > ____________NetZero Free Internet Access and Email_________
> > Download Now     http://www.netzero.net/download/index.html
> > Request a CDROM  1-800-333-3633
> > ___________________________________________________________


____________NetZero Free Internet Access and Email_________
Download Now     http://www.netzero.net/download/index.html
Request a CDROM  1-800-333-3633
___________________________________________________________
Prev by Date: LDAP/Pam Authentification.
Next by Date: 2.0.4: inserting password
Index(es):
- Chronological
- Thread