SASL-GSSAPI - KRB5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

SASL-GSAPPI - Kerberos

When I attempt to bind to the directory and search for the same 
> information with the command line below.
>
> ldapsearch -Y GSSAPI -X u:<valid uid>  -b "" -s base -LLL  -H 
> ldaps://FQDN supportedSASLMechanism


Did you really mean to initiate a SASL/GSSAPI bind over SSL ?
I'm not sure that will work. It might, but it may not be supported.
I know for sure that encrypted gssapi will _not_ work. It uses the
same layered I/O hooks that SSL does, and you can't have both
active at the same time (nor would you want to AFAIK).
Try the non-ssl port and see what happens.

The new and improved error after changing from -H ldaps://..... to -H ldap://... follows

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context


[28/Nov/2005:07:47:47 -0600] - new connection on 68
[28/Nov/2005:07:47:47 -0600] - activity on 68r
[28/Nov/2005:07:47:47 -0600] - read activity on 68
[28/Nov/2005:07:47:47 -0600] - conn 10 activity level = 0
[28/Nov/2005:07:47:47 -0600] - sasl(2): GSSAPI Error: Miscellaneous failure (Bad encryption type)[28/Nov/2005:07:47:47 -0600] - listener got signaled
[28/Nov/2005:07:47:47 -0600] - activity on 68r
[28/Nov/2005:07:47:47 -0600] - read activity on 68
[28/Nov/2005:07:47:47 -0600] - listener got signaled



Thanks for the hint. I did read that it would not be supported over SSL the competing port would be a valid reason.  I did get the mapping pieces completed but had some difficulty understanding the REALMS docs.  http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165
The docs state that GSS-API must be enabled as a SASL mechanism in the Directory to make this work, but it does not state how if this is the default or if not how to enable GSS-API.  The Realms section reads as if I have to change the DN of all users in the directory to be under cn=gssapi,cn=auth and therefore the confusion.

Thanks again for any clarity given
Barry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20051128/109efb93/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bribbeck.vcf
Type: text/x-vcard
Size: 249 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051128/109efb93/attachment.vcf
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux