3 Replies Latest reply on Mar 2, 2007 8:12 AM by 807573

    SASL GSSAPI with DS 5.2 server, and OpenLDAP clients

      I am trying to use SASL GSSAPI to authenticate clients with DS 5.2 P4. All went well, and I enabled GSSAPI, set up identity mappings, etc., and it works fine when testing with 'ldapsearch' on a Solaris 10 client.

      Using a Linux client, however, with OpenLDAP's ldapsearch (and Cyrus SASL, MIT Kerberos), GSSAPI authentication fails with this error, every single time:
      SASL/GSSAPI authentication started
      ldap_sasl_interactive_bind_s: Invalid credentials (49)
              additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Unknown code 188)
      This appears to be an error message generated by DS5.2, and not the OpenLDAP ldapsearch client, since scanning the packets of the exchange show this message appearing in the bindResponse traffic returning from the DS5.2 server.

      I cannot get any DS5.2 logs to give me any useful information, presumably because everything is just passed off to the SASL library. Does GSSAPI authentication work with non-Sun clients? Is there any way to debug the SASL error and see what is going wrong?
        • 1. Re: SASL GSSAPI with DS 5.2 server, and OpenLDAP clients
          I remember having tested GSSAPI authentication on Solaris with OpenLDAP tools (ldapsearch) and Sun DS tools on Solaris.

          Error 49 is returned by the server, as well as the additional message.

          You can enable the TRACE error level to get more information about the SASL exchanges.

          But the error is really coming from the Kerberos library under GSS.

          I have no knowledge on how to troubleshoot this.

          • 2. Re: SASL GSSAPI with DS 5.2 server, and OpenLDAP clients
            This turned out to be a keytab problem. I had to force the enctype on the ldap/fqdn principal keytab to be des-cbc-crc before it would work. I'm not sure if any other stronger ones would work, but at least that one does.
            • 3. Re: SASL GSSAPI with DS 5.2 server, and OpenLDAP clients

              I have problem with connecting DS 5.2 server using SASL GSSAPI from OpenLDAP client.

              I have configured GSSAPI identity mappings on the DS and have KDC running on the same solaris machine.

              When I do ldapsearch from the openLDAP client, I am getting the following error :

              ldapsearch -h -Y GSSAPI -U tester1
              SASL/GSSAPI authentication started
              ldap_sasl_interactive_bind_s: Local error (-2)
              additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Ticket expired)

              Do I need to configure anything else on the client side (OpenLDAP client on the linux machine) ?? Can you please give me the steps to make this work ??