Problem with SASL/Kerberos5
Hi,
I'm trying to authenticate to OpenLDAP using libsasl2-gssapi-mit. So I
wrote in /etc/default/saslauthd:
----- /etc/default/saslauthd -----------------------
START=yes
MECHANISMS="kerberos5"
----------------------------------------------------
And here is my ldap.conf:
----- /etc/ldap/ldap.conf --------------------------
URI ldap://purcell.kerberos.mgoetze.net/
BASE dc=mgoetze,dc=net
TLS_CACERT /etc/ssl/certs/cacert.pem
----------------------------------------------------
Here is what happens:
----- Shell Session --------------------------------
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze@KERBEROS.MGOETZE.NET
Valid starting Expires Service principal
11/17/06 19:43:27 11/18/06 05:43:27 krbtgt/KERBEROS.MGOETZE.NET@KERBEROS.MGOETZE.NET
renew until 11/18/06 19:43:24
% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
failure (Permission denied)
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze@KERBEROS.MGOETZE.NET
Valid starting Expires Service principal
11/17/06 19:43:27 11/18/06 05:43:27 krbtgt/KERBEROS.MGOETZE.NET@KERBEROS.MGOETZE.NET
renew until 11/18/06 19:43:24
11/17/06 19:50:55 11/18/06 05:43:27 ldap/purcell.kerberos.mgoetze.net@KERBEROS.MGOETZE.NET
renew until 11/18/06 19:43:24
----------------------------------------------------
Here is what auth.log says about this incident:
----- /var/log/auth.log ----------------------------
Nov 17 19:50:55 localhost slapd[4645]: OTP unavailable because can't read/write
key database /etc/opiekeys: No such file or directory
Nov 17 19:50:55 localhost krb5kdc[3088]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
10.211.55.3: ISSUE: authtime 1163789007, etypes {rep=16 tkt=16 ses=16}, mgoetze@
KERBEROS.MGOETZE.NET for ldap/purcell.kerberos.mgoetze.net@KERBEROS.MGOETZE.NET
----------------------------------------------------
Based on my logs, the problem doesn't seem to be in slapd (so I won't
bother you with my slapd.conf unless someone asks), but in saslauthd.
I tried running saslauthd in debug mode but unfortunately it is entirely
unhelpful. (Would gsasl be an alternative, since cyrus-sasl is such
a pain?)
Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
to tell me what I'm doing wrong?
Thanks in advance,
Michael
Reply to: