On 2016-10-11 09:18, Aki Tuomi wrote:
On 11.10.2016 10:13, Juha Koho wrote:

I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
set up a GSSAPI Kerberos authentication with the LDAP server but with
little success. Seems no matter what I try I end up with the following
error message:

dovecot: auth: Error: LDAP: binding failed (dn
(imap/host.example....@example.com)): Local error, SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (No Kerberos credentials available (default
cache: FILE:/tmp/dovecot.krb5.ccache))

I have set the import_environment in dovecot.conf:


And these in LDAP configuration:

dn = imap/host.example....@example.com
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example....@example.com

I have tried with different values in dn and sasl_authz_id and also
leaving them out completely but I always end up with the error message
above. Using simple bind without GSSAPI works just fine.

The credentials cache file exists and is valid for the principal
imap/host.example....@example.com. The file is owned by dovecot user
so it shouldn't be a permission problem either.

GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the
connection attempt never reaches the LDAP server due to the error. I
also have similar setup for Postfix and it works fine.

Any ideas what to try next?

Best regards,

Can you provide klist output for the cache file? Also, it should be
readable by dovenull user, or whatever is configured as default_login_user.

Here's the klist output of the cache file:
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example....@example.com

Valid starting       Expires              Service principal
10/11/2016 09:26:25  10/11/2016 21:26:25  krbtgt/example....@example.com
        renew until 10/12/2016 09:26:25

That I didn't know that also dovenull must have access to the cache but I tried also setting 0644 permissions to the cache file with no luck. So permissions shouldn't be the issue...


Reply via email to