Problem authenticating to OpenLDAP via GSSAPI

Howard Chu hyc at highlandsun.com
Wed Nov 22 22:04:56 EST 2006


Michael Goetze wrote:
> Hi,
>
> I'm trying to authenticate to OpenLDAP using the libsasl2-gssapi-mit 
> Debian package.. So I
> wrote in /etc/default/saslauthd:
>
> Here is what happens:
>
> ----- Shell Session --------------------------------
> % klist -5
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: mgoetze at KERBEROS.MGOETZE.NET
>
> Valid starting     Expires            Service principal
> 11/17/06 19:43:27  11/18/06 05:43:27 
> krbtgt/KERBEROS.MGOETZE.NET at KERBEROS.MGOETZE.NET
>         renew until 11/18/06 19:43:24
> % ldapsearch
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error 
> (80)
>         additional info: SASL(-1): generic failure: GSSAPI Error: 
> Miscellaneous
> failure (Permission denied)
>
>
> Based on my logs, the problem doesn't seem to be in slapd (so I won't
> bother you with my slapd.conf unless someone asks), but in saslauthd.
> I tried running saslauthd in debug mode but unfortunately it is entirely
> unhelpful.
>
> Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
> to tell me what I'm doing wrong?
>
saslauthd has nothing to do with GSSAPI authentication; it is only used 
for plaintext password-based authentication mechanisms. It looks like 
your slapd process doesn't have permission to read krb5.conf or its keytab.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/



More information about the Cyrus-sasl mailing list