Problem authenticating to OpenLDAP via GSSAPI
Howard Chu
hyc at highlandsun.com
Wed Nov 22 22:04:56 EST 2006
Michael Goetze wrote:
> Hi,
>
> I'm trying to authenticate to OpenLDAP using the libsasl2-gssapi-mit
> Debian package.. So I
> wrote in /etc/default/saslauthd:
>
> Here is what happens:
>
> ----- Shell Session --------------------------------
> % klist -5
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: mgoetze at KERBEROS.MGOETZE.NET
>
> Valid starting Expires Service principal
> 11/17/06 19:43:27 11/18/06 05:43:27
> krbtgt/KERBEROS.MGOETZE.NET at KERBEROS.MGOETZE.NET
> renew until 11/18/06 19:43:24
> % ldapsearch
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
> (80)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous
> failure (Permission denied)
>
>
> Based on my logs, the problem doesn't seem to be in slapd (so I won't
> bother you with my slapd.conf unless someone asks), but in saslauthd.
> I tried running saslauthd in debug mode but unfortunately it is entirely
> unhelpful.
>
> Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
> to tell me what I'm doing wrong?
>
saslauthd has nothing to do with GSSAPI authentication; it is only used
for plaintext password-based authentication mechanisms. It looks like
your slapd process doesn't have permission to read krb5.conf or its keytab.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list