[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
custom hostname for openldap/sasl is not working
Good day, dear list!
I'm trying to setup SASL GSSAPI authentication for openldap that
listens on hostname different from the machine hostname it runs on.
openldap runs on server inka.example.com. ldap/inka/example.com
principal is added to ldap's keytab file. This command works just
fine:
ldapsearch -Y GSSAPI -H 'ldap://inka.example.com'
Now:
* I've added second IP to the inka.example.com
* Added A record for ldap.example.com to point to that IP and setup
corresponding PTR record.
* Created ldap/ldap.example.com principal and added it ldap's keytab.
* Even set openldap to listen only on ldap.example.com IP.
But the command
ldapsearch -Y GSSAPI -H 'ldap://ldap.example.com'
fails with the following error in ldap log: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Wrong principal
in request)
I see that client successfully obtains ticket for
ldap/ldap.example.com@EXAMPLE.COM
I've tried to set sasl-host to ldap.example.com and sasl-realm to
EXAMPLE.COM in slapd.conf - did not help.
I've even tried to do "hostname ldap" on inka.example.com and restart
slapd - same error.
>From what I understand, the slapd daemon will try, before connecting
the KDC server, to read the keytab file and get the key of the
principal ldap/<sasl-host>#<sasl-realm>, so it looks like I'm doing
the right thing, but it does not work.
System:
Debian testing.
slapd-2.4.17-2.1
sasl-2.1.23.dfsg1-5
MIT kerberos 1.8.3+dfsg~beta1-1
Thank you in advance for help,
--
Zaar
--
Zaar