Hi,
thank you for your help.
I solved my problem. The /etc/krb5.keytab file was not readable by
openLDAP daemon. Now everything is ok in local but when I tried
ldapsearch command in remote from my client (iMac running leopard
10.5.6) I get the following error:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
In the openldap log's file I can see:
Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure: GSSAPI
Error: Miscellaneous failure (see text) (Decrypt integrity check
failedxt))
If I run klist command on my client, I can see the following tickets:
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: xav@PASSRL
Valid Starting Expires Service Principal
02/27/09 18:04:17 02/28/09 04:04:17 krbtgt/PASSRL@PASSRL
renew until 03/06/09 18:04:17
02/27/09 18:04:20 02/28/09 04:04:17 ldap/passrlsrv.passrl@
renew until 03/06/09 18:04:17
I suspect that the problem is due to the ldap service ticket principal
that is "ldap/passrlsrv.passrl@" instead of "ldap/
passrlsrv.passrl@PASSRL". In my kdc log file I see that the service
ticket request is for "ldap/passrlsrv.passrl@PASSRL"
Any idea why the principal looks wrong in the client kerberos cache ?
thank you
Xavier
Le 22 févr. 09 à 04:19, Dan White a écrit :
Xavier Ambrosioni wrote:
Hi,
I'm trying to setup OpenLDAP with SASL and GSSAPI. My server is
running ubuntu "hardy heron" with the following version:
Cyrus SASL 2.1.22 with gssapi-heimdal module
OpenLDAP 2.4.9
Heimdal KDC 1.0.1
Hi Xavier,
See:
http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
- Dan
