SASL + Kerberos + OpenLDAP issue

Quanah Gibson-Mount quanah at zimbra.com
Fri Feb 27 14:44:32 EST 2009


--On Friday, February 27, 2009 1:39 PM -0600 Dan White <dwhite at olp.net> 
wrote:

> Xavier Ambrosioni wrote:
>> Hi,
>>
>> thank you for your help.
>> I solved my problem. The /etc/krb5.keytab file was not readable by
>> openLDAP daemon. Now everything is ok in local but when I tried
>> ldapsearch command in remote from my client (iMac running leopard
>> 10.5.6) I get the following error:
>>
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>     additional info: SASL(-13): authentication failure: GSSAPI
>> Failure: gss_accept_sec_context
>>
>> In the openldap log's file I can see:
>>
>> Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure: GSSAPI
>> Error:  Miscellaneous failure (see text) (Decrypt integrity check
>> failedxt))

I've seen this sort of error using SASL/GSSAPI connections with cyrus-sasl 
when linked against MIT kerberos.  For a number of reasons, it has been my 
strong opinion that people should only use a cyrus-sasl build linked 
against Heimdal Kerberos with their OpenLDAP server build.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


More information about the Cyrus-sasl mailing list