SASL-GSSAPI - KRB5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

SASL-GSAPPI - Kerberos
When I attempt to bind to the directory and search for the same 
> information with the command line below.
>
> ldapsearch -Y GSSAPI -X u:<valid uid>  -b "" -s base -LLL  -H 
> ldaps://FQDN supportedSASLMechanism


Did you really mean to initiate a SASL/GSSAPI bind over SSL ?
I'm not sure that will work. It might, but it may not be supported.
I know for sure that encrypted gssapi will _not_ work. It uses the
same layered I/O hooks that SSL does, and you can't have both
active at the same time (nor would you want to AFAIK).
Try the non-ssl port and see what happens.

The new and improved error after changing from -H ldaps://..... to -H ldap://... follows

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context


[28/Nov/2005:07:47:47 -0600] - new connection on 68
[28/Nov/2005:07:47:47 -0600] - activity on 68r
[28/Nov/2005:07:47:47 -0600] - read activity on 68
[28/Nov/2005:07:47:47 -0600] - conn 10 activity level = 0
[28/Nov/2005:07:47:47 -0600] - sasl(2): GSSAPI Error: Miscellaneous failure (Bad encryption type)[28/Nov/2005:07:47:47 -0600] - listener got signaled
[28/Nov/2005:07:47:47 -0600] - activity on 68r
[28/Nov/2005:07:47:47 -0600] - read activity on 68
[28/Nov/2005:07:47:47 -0600] - listener got signaled



Thanks for the hint. I did read that it would not be supported over SSL the competing port would be a valid reason.  I did get the mapping pieces completed but had some difficulty understanding the REALMS docs.  http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165
The docs state that GSS-API must be enabled as a SASL mechanism in the Directory to make this work, but it does not state how if this is the default or if not how to enable GSS-API.  The Realms section reads as if I have to change the DN of all users in the directory to be under cn=gssapi,cn=auth and therefore the confusion.

Thanks again for any clarity given
Barry

begin:vcard
fn:Barry Ribbeck
n:Ribbeck;Barry
org:Rice University;IT
adr:;;6100 Main Street;Houston;TX;77030;USA
email;internet:bribbeck@xxxxxxxx
title:Director Systems, Architecture and Infrastructure
tel;work:+1 713 348 4012
version:2.1
end:vcard


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux