[jira] [Created] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

Mon, 31 Jul 2017 10:58:28 -0700 

Alex Duzsardi created DIRSERVER-2205:
----------------------------------------

             Summary: ldap tools don't work with gssapi sasl 
                 Key: DIRSERVER-2205
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: core
    Affects Versions: 2.0.0-M24
         Environment: Linux Centos 7 x64
ApacheDS 2.0.0-M4
openJDK 
krb5-workstation
openlda-clients
            Reporter: Alex Duzsardi


Hi,
I successfully installed ApacheDS , was able to start , configure the service 
and set up kerberos authentication.
It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
can't say the same from local ldap tools (openldap-clients)
I can't get a tgt from the kerberos with kinit , i've exported the ldap service 
principal using ktutil and saved it as /etc/krb5.keytab , configured krb5.conf 
, configured ldap.conf . 
hostnames are configured statically through /etc/hosts , actually only one host 
as the server is also the client (LAN_IP example.com , 
ldap/[email protected] got exported with ktutil)

[root@example ~]# cat /etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
#    rdns = false

[realms]
    EXAMPLE.COM = {
        kdc = example.com:60088
        default_domain = EXAMPLE.COM
    }

[domain_realm]
         example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

------------------------------------------------------------------------


[root@example ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 ldap/[email protected]
[root@example ~]#

--------------------------------------------------------------------------------
[root@example ~]# kinit hnelson
Password for [email protected]:
[root@example ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/[email protected]
[root@example ~]#


{color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
-b "dc=example,dc=com" "(uid=hnelson)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Message stream modified)

{color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to