Problem authenticating to OpenLDAP via GSSAPI

Michael Goetze <mgoetze@xxxxxxxxxxx> · Thu, 23 Nov 2006 03:15:31 +0100

Hi,

I'm trying to authenticate to OpenLDAP using the libsasl2-gssapi-mit 
Debian package.. So I
wrote in /etc/default/saslauthd:

----- /etc/default/saslauthd -----------------------
START=yes
MECHANISMS="kerberos5"
----------------------------------------------------

And here is my ldap.conf:

----- /etc/ldap/ldap.conf --------------------------
URI             ldap://purcell.kerberos.mgoetze.net/
BASE            dc=mgoetze,dc=net
TLS_CACERT      /etc/ssl/certs/cacert.pem
----------------------------------------------------

Here is what happens:

----- Shell Session --------------------------------
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
11/17/06 19:43:27  11/18/06 05:43:27 
krbtgt/KERBEROS.MGOETZE.NET@xxxxxxxxxxxxxxxxxxxx
        renew until 11/18/06 19:43:24
% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous
failure (Permission denied)
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
11/17/06 19:43:27  11/18/06 05:43:27 
krbtgt/KERBEROS.MGOETZE.NET@xxxxxxxxxxxxxxxxxxxx
        renew until 11/18/06 19:43:24
11/17/06 19:50:55  11/18/06 05:43:27 
ldap/purcell.kerberos.mgoetze.net@xxxxxxxxxxxxxxxxxxxx
        renew until 11/18/06 19:43:24
----------------------------------------------------

Here is what auth.log says about this incident:

----- /var/log/auth.log ----------------------------
Nov 17 19:50:55 localhost slapd[4645]: OTP unavailable because can't 
read/write
key database /etc/opiekeys: No such file or directory
Nov 17 19:50:55 localhost krb5kdc[3088]: TGS_REQ (7 etypes {18 17 16 23 
1 3 2})
10.211.55.3: ISSUE: authtime 1163789007, etypes {rep=16 tkt=16 ses=16}, 
mgoetze@
KERBEROS.MGOETZE.NET for 
ldap/purcell.kerberos.mgoetze.net@xxxxxxxxxxxxxxxxxxxx
----------------------------------------------------

Based on my logs, the problem doesn't seem to be in slapd (so I won't
bother you with my slapd.conf unless someone asks), but in saslauthd.
I tried running saslauthd in debug mode but unfortunately it is entirely
unhelpful.

Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
to tell me what I'm doing wrong?

Thanks in advance,
MichaelProblem