I am trying to use SASL-GSSAPI to leverage our Kerberos V authentication
REALM with Fedora Directory server. When I search anonymously for
supported SASL mechanisms, I get the following response. Seeing GSSAPI
is comforting, but I am sure that is not the whole story. I am running
the directory on RHL E3 with SASL2. What I am looking for are some
docs for the entire process. Turbo Fredriksson has some excellent docs
on Open LDAP, but they don't seem to map well to the Fedora Directory.
Any suggestion would be greatly apprectiated and I would love to
document the process for others.
ldapsearch -H ldaps://FQDN/ -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS
When I attempt to bind to the directory and search for the same
information with the command line below.
ldapsearch -Y GSSAPI -X u:<valid uid> -b "" -s base -LLL -H
ldaps://FQDN supportedSASLMechanism
I get the following command line error
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
and the following directory error log error
[27/Nov/2005:20:21:18 -0600] - new SSL connection on 69
[27/Nov/2005:20:21:18 -0600] - activity on 69r
[27/Nov/2005:20:21:18 -0600] - read activity on 69
[27/Nov/2005:20:21:18 -0600] - conn 12 activity level = 0
[27/Nov/2005:20:21:18 -0600] - sasl(2): GSSAPI Error: Miscellaneous
failure (Bad encryption type)[27/Nov/2005:20:21:18 -0600] - listener got
signaled
The directory seems to support SASL, and SASL2 is installed, I am just
not sure if anything else is required. A blank ldapsearch reveals the
following ldapsearch
SASL/DIGEST-MD5 authentication started
The directory docs are pretty thin. Any help would be appreciated.
