Hi,
I'm trying to get slapd to use heimdal kerberos to provide
a single authentication backend for my network. I've followed
the Administrator's Guide on SASL[1] and cyrus faq entry
about connecting OpenLDAP with GSSAPI[2]. I'm stuck
at the what I believe is a misunderstanding from my part.
I believe when I use -Y GSSAPI I should be using my
braiam/admin credentials, but according to SASL facility
in slapd I'm not providing any. strace confirms that
it reads the /tmp/krb5cc_1000 file correctly.
I'm very confused as to how to proceed since most of
the relevant results point to having not kinit'd.
I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1,
libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.
debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal
Aliases
4 aes256-cts-hmac-sha1-96 host/ldap01.example....@example.com
4 des3-cbc-sha1 host/ldap01.example....@example.com
4 arcfour-hmac-md5 host/ldap01.example....@example.com
9 aes256-cts-hmac-sha1-96 ldap/ldap01.example....@example.com
9 des3-cbc-sha1 ldap/ldap01.example....@example.com
9 arcfour-hmac-md5 ldap/ldap01.example....@example.com
debian@ldap01:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: braiam/ad...@example.com
Issued Expires Principal
May 12 20:34:05 2020 May 13 20:34:05 2020 krbtgt/example....@example.com
May 12 20:34:11 2020 May 13 20:34:05 2020 ldap/ldap01.example....@example.com
debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b ""
supportedSASLMechanisms -H $ldap_host
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No
credentials were supplied, or the credentials were unavailable or
inaccessible. (unknown mech-code 0 for mech unknown)
[1]: http://www.openldap.org/doc/admin24/sasl.html
[2]: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
--
Braiam
