[Fedora-directory-users] FDS, Kerberos, SASL confusion

Gordon Messmer yinyang at eburg.com
Thu Jul 26 19:45:13 UTC 2007 

Hintermayer Johannes wrote:
> 
> #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v 
> ldap_initialize( <DEFAULT> )
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (Permission denied)

I see that having fixed your permissions, that error is now "SASL(-14): 
authorization failure:".  Is there any more information in the error logs?

> I have tried several combinations of config files and password entries
> but none worked.

As far as I know, the userpassword contents are evaluated by OpenLDAP, 
but not by Fedora DS.  That attributes contents shouldn't make any 
difference when you're using GSSAPI authentication.  You can delete the 
attribute if you're not storing an actual password.

> 1. Do I need saslauthd on every client which I want to authenticate via
> FDS/Kerberos?

No.  You don't need to configure it on the server, either.

> 2. Do I need a host principal for every client?

No.  You don't even need one on the server for authenticating LDAP 
connections.

> Here is my current configuration, please correct me if there are some
> unneeded files (these were built together from several tutorials):
> 
> /etc/krb5.conf

That looks fine.

> /etc/ldap.conf
> 
> host 172.16.50.2
> base dc=afb,dc=lan
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
> SASL_MECH GSSAPI
> SASL_REALM AFB.LAN
> use_sasl on
> sasl_auth_id ldap/vafbds01.afb.lan

I'm not sure how much of the SASL stuff is required.  I don't have any 
of it in my own configs.  Try commenting all of the SASL related lines, 
and see if anything changes.

> /etc/sysconfig/saslauthd

You don't need saslauthd.

> /usr/lib/sasl2/slapd.conf

...nor do you need this.

> SASL Mapping:
> nssaslmapfiltertemplate: (uid=\1)
> nssaslmapregexstring: \(.*\)@\(.*\)

Under what DN are you storing that?  Have you tried without the '\' 
characters in nssaslmapregexstring?  The Howto disagrees with the manual 
about this... I don't use '\' characters in my working configuration.

> /opt/fedora-ds/slapd-vafbds01/start-slapd contains:
> "export KRB5_KTNAME=/etc/krb5.keytab"

In order to protect your host keytab, you should store the LDAP server's 
keytab in a different file.  The host keytab should be readable only by 
root.

More information about the 389-users mailing list