SASL-GSSAPI and KRB5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am trying to use SASL-GSSAPI to leverage our Kerberos V authentication REALM with Fedora Directory server. When I search anonymously for supported SASL mechanisms, I get the following response. Seeing GSSAPI is comforting, but I am sure that is not the whole story. I am running the directory on RHL E3 with SASL2. What I am looking for are some docs for the entire process. Turbo Fredriksson has some excellent docs on Open LDAP, but they don't seem to map well to the Fedora Directory. Any suggestion would be greatly apprectiated and I would love to document the process for others. 

ldapsearch -H ldaps://FQDN/ -x -b "" -s base -LLL supportedSASLMechanisms

dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS
When I attempt to bind to the directory and search for the same information with the command line below.
ldapsearch -Y GSSAPI -X u:<valid uid> -b "" -s base -LLL -H ldaps://FQDN supportedSASLMechanism 

I get the following command line error
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context 


and the following directory error log error
[27/Nov/2005:20:21:18 -0600] - new SSL connection on 69
[27/Nov/2005:20:21:18 -0600] - activity on 69r
[27/Nov/2005:20:21:18 -0600] - read activity on 69
[27/Nov/2005:20:21:18 -0600] - conn 12 activity level = 0
[27/Nov/2005:20:21:18 -0600] - sasl(2): GSSAPI Error: Miscellaneous failure (Bad encryption type)[27/Nov/2005:20:21:18 -0600] - listener got signaled
The directory seems to support SASL, and SASL2 is installed, I am just not sure if anything else is required. A blank ldapsearch reveals the following ldapsearch 
SASL/DIGEST-MD5 authentication started
The directory docs are pretty thin. Any help would be appreciated.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux