Problem authenticating to OpenLDAP via GSSAPI
Michael Goetze
mgoetze at mgoetze.net
Wed Nov 22 21:15:31 EST 2006
Hi,
I'm trying to authenticate to OpenLDAP using the libsasl2-gssapi-mit
Debian package.. So I
wrote in /etc/default/saslauthd:
----- /etc/default/saslauthd -----------------------
START=yes
MECHANISMS="kerberos5"
----------------------------------------------------
And here is my ldap.conf:
----- /etc/ldap/ldap.conf --------------------------
URI ldap://purcell.kerberos.mgoetze.net/
BASE dc=mgoetze,dc=net
TLS_CACERT /etc/ssl/certs/cacert.pem
----------------------------------------------------
Here is what happens:
----- Shell Session --------------------------------
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze at KERBEROS.MGOETZE.NET
Valid starting Expires Service principal
11/17/06 19:43:27 11/18/06 05:43:27
krbtgt/KERBEROS.MGOETZE.NET at KERBEROS.MGOETZE.NET
renew until 11/18/06 19:43:24
% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous
failure (Permission denied)
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze at KERBEROS.MGOETZE.NET
Valid starting Expires Service principal
11/17/06 19:43:27 11/18/06 05:43:27
krbtgt/KERBEROS.MGOETZE.NET at KERBEROS.MGOETZE.NET
renew until 11/18/06 19:43:24
11/17/06 19:50:55 11/18/06 05:43:27
ldap/purcell.kerberos.mgoetze.net at KERBEROS.MGOETZE.NET
renew until 11/18/06 19:43:24
----------------------------------------------------
Here is what auth.log says about this incident:
----- /var/log/auth.log ----------------------------
Nov 17 19:50:55 localhost slapd[4645]: OTP unavailable because can't
read/write
key database /etc/opiekeys: No such file or directory
Nov 17 19:50:55 localhost krb5kdc[3088]: TGS_REQ (7 etypes {18 17 16 23
1 3 2})
10.211.55.3: ISSUE: authtime 1163789007, etypes {rep=16 tkt=16 ses=16},
mgoetze@
KERBEROS.MGOETZE.NET for
ldap/purcell.kerberos.mgoetze.net at KERBEROS.MGOETZE.NET
----------------------------------------------------
Based on my logs, the problem doesn't seem to be in slapd (so I won't
bother you with my slapd.conf unless someone asks), but in saslauthd.
I tried running saslauthd in debug mode but unfortunately it is entirely
unhelpful.
Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
to tell me what I'm doing wrong?
Thanks in advance,
MichaelProblem
More information about the Cyrus-sasl
mailing list