Problem authenticating to OpenLDAP via GSSAPI

Michael Goetze mgoetze at mgoetze.net
Wed Nov 22 21:15:31 EST 2006 

Hi,

I'm trying to authenticate to OpenLDAP using the libsasl2-gssapi-mit 
Debian package.. So I
wrote in /etc/default/saslauthd:

----- /etc/default/saslauthd -----------------------
START=yes
MECHANISMS="kerberos5"
----------------------------------------------------

And here is my ldap.conf:

----- /etc/ldap/ldap.conf --------------------------
URI             ldap://purcell.kerberos.mgoetze.net/
BASE            dc=mgoetze,dc=net
TLS_CACERT      /etc/ssl/certs/cacert.pem
----------------------------------------------------

Here is what happens:

----- Shell Session --------------------------------
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze at KERBEROS.MGOETZE.NET

Valid starting     Expires            Service principal
11/17/06 19:43:27  11/18/06 05:43:27 
krbtgt/KERBEROS.MGOETZE.NET at KERBEROS.MGOETZE.NET
         renew until 11/18/06 19:43:24
% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
         additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous
failure (Permission denied)
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze at KERBEROS.MGOETZE.NET

Valid starting     Expires            Service principal
11/17/06 19:43:27  11/18/06 05:43:27 
krbtgt/KERBEROS.MGOETZE.NET at KERBEROS.MGOETZE.NET
         renew until 11/18/06 19:43:24
11/17/06 19:50:55  11/18/06 05:43:27 
ldap/purcell.kerberos.mgoetze.net at KERBEROS.MGOETZE.NET
         renew until 11/18/06 19:43:24
----------------------------------------------------

Here is what auth.log says about this incident:

----- /var/log/auth.log ----------------------------
Nov 17 19:50:55 localhost slapd[4645]: OTP unavailable because can't 
read/write
key database /etc/opiekeys: No such file or directory
Nov 17 19:50:55 localhost krb5kdc[3088]: TGS_REQ (7 etypes {18 17 16 23 
1 3 2})
10.211.55.3: ISSUE: authtime 1163789007, etypes {rep=16 tkt=16 ses=16}, 
mgoetze@
KERBEROS.MGOETZE.NET for 
ldap/purcell.kerberos.mgoetze.net at KERBEROS.MGOETZE.NET
----------------------------------------------------

Based on my logs, the problem doesn't seem to be in slapd (so I won't
bother you with my slapd.conf unless someone asks), but in saslauthd.
I tried running saslauthd in debug mode but unfortunately it is entirely
unhelpful.

Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
to tell me what I'm doing wrong?

Thanks in advance,
MichaelProblem

More information about the Cyrus-sasl mailing list