I've run into some problems getting OpenLDAP on FreeBSD (8.2-STABLE) to authenticate using Kerberos tickets. I hope I've just had a brain glitch, so please feel free to let me know that I've missed something obvious.
Here's where things are:
-
Kerberos works just fine.
I can acquire credentials using
kinit
, and I can use these credentials for authentication (for example, for ssh or telnet login). -
OpenLDAP is installed and works with basic authentication.
-
slapd is clearly linked against the SASL libraries;
ldd .../slapd
reports:libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800d07000)
-
There exists /usr/local/lib/sasl2/slapd.conf with the following contents:
mech_list: GSSAPI
-
slapd reports that is supports GSSAPI authentication:
$ ldapsearch -x -b '' -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
-
There exists
/etc/krb5.keytab
with keys forhost/<myhostname>
andldap/<myhostname>
. -
The sample SASL server/client appear to work fine with gssapi authentication:
# server -p 2222 -s ldap -m gssapi
Followed by:
# client -p 2222 -s ldap -m gssapi
Ultimately results in:
successful authentication
And yet…
I have been unable to get slapd to accept GSSAPI authentication. Simply trying to run ldapwhoami
, with a valid Kerberos ticket, results in the following error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
The same error is logged by slapd
. I've sort of hit a wall here; slapd even with various debugging turned on isn't providing me with anything useful. Help?
Update: Just for kicks I decided to try setting up OpenLDAP inside a Linux (CentOS 5) jail to see if the behavior was any different. After rebuilding the OpenLDAP packages (FreeBSD's Linux support does not include the epoll()
system call), it was giving me error messages that seemed a little more useful (regarding missing Kerberos principals). It at least seemed to be performing the GSSAPI negotiation correctly. So it looks like this is a FreeBSD issue…maybe? Hoping for input from somebody out there.
Best Answer
And...mysteriously it's started working. For the record, here is what seems to be a repeatable process:
ldap/...
principal.Make sure slapd will be able to read a keytab file. The simplest mechanism is:
sasl-host
,sasl-realm
, andsasl-regexp
.BASE
andURI
in/usr/local/etc/openldap/ldap.conf
.Test by acquiring a Kerberos ticket and then running
ldapwhoami -Y GSSAPI
.