I am trying to use SASL GSSAPI to authenticate clients with DS 5.2 P4. All went well, and I enabled GSSAPI, set up identity mappings, etc., and it works fine when testing with 'ldapsearch' on a Solaris 10 client.
Using a Linux client, however, with OpenLDAP's ldapsearch (and Cyrus SASL, MIT Kerberos), GSSAPI authentication fails with this error, every single time:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188)
This appears to be an error message generated by DS5.2, and not the OpenLDAP ldapsearch client, since scanning the packets of the exchange show this message appearing in the bindResponse traffic returning from the DS5.2 server.
I cannot get any DS5.2 logs to give me any useful information, presumably because everything is just passed off to the SASL library. Does GSSAPI authentication work with non-Sun clients? Is there any way to debug the SASL error and see what is going wrong?