I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to set up a GSSAPI Kerberos authentication with the LDAP server but with little success. Seems no matter what I try I end up with the following error message:

dovecot: auth: Error: LDAP: binding failed (dn (imap/host.example....@example.com)): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/dovecot.krb5.ccache))

I have set the import_environment in dovecot.conf:

import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache

And these in LDAP configuration:

dn = imap/host.example....@example.com
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example....@example.com

I have tried with different values in dn and sasl_authz_id and also leaving them out completely but I always end up with the error message above. Using simple bind without GSSAPI works just fine.

The credentials cache file exists and is valid for the principal imap/host.example....@example.com. The file is owned by dovecot user so it shouldn't be a permission problem either.

GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the connection attempt never reaches the LDAP server due to the error. I also have similar setup for Postfix and it works fine.

Any ideas what to try next?

Best regards,

Reply via email to