SASL + Kerberos + OpenLDAP issue
Xavier Ambrosioni
xavier.ambrosioni at cinema-voiron.fr
Fri Feb 27 12:11:39 EST 2009
Hi,
thank you for your help.
I solved my problem. The /etc/krb5.keytab file was not readable by
openLDAP daemon. Now everything is ok in local but when I tried
ldapsearch command in remote from my client (iMac running leopard
10.5.6) I get the following error:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
In the openldap log's file I can see:
Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure: GSSAPI
Error: Miscellaneous failure (see text) (Decrypt integrity check
failedxt))
If I run klist command on my client, I can see the following tickets:
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: xav at PASSRL
Valid Starting Expires Service Principal
02/27/09 18:04:17 02/28/09 04:04:17 krbtgt/PASSRL at PASSRL
renew until 03/06/09 18:04:17
02/27/09 18:04:20 02/28/09 04:04:17 ldap/passrlsrv.passrl@
renew until 03/06/09 18:04:17
I suspect that the problem is due to the ldap service ticket principal
that is "ldap/passrlsrv.passrl@" instead of "ldap/
passrlsrv.passrl at PASSRL". In my kdc log file I see that the service
ticket request is for "ldap/passrlsrv.passrl at PASSRL"
Any idea why the principal looks wrong in the client kerberos cache ?
thank you
Xavier
Le 22 févr. 09 à 04:19, Dan White a écrit :
> Xavier Ambrosioni wrote:
>> Hi,
>>
>> I'm trying to setup OpenLDAP with SASL and GSSAPI. My server is
>> running ubuntu "hardy heron" with the following version:
>> Cyrus SASL 2.1.22 with gssapi-heimdal module
>> OpenLDAP 2.4.9
>> Heimdal KDC 1.0.1
>>
>
> Hi Xavier,
>
> See:
>
> http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
>
> - Dan
More information about the Cyrus-sasl
mailing list