I am trying to use SASL-GSSAPI to leverage our Kerberos V authentication
REALM with Fedora Directory server. When I search anonymously for
supported SASL mechanisms, I get the following response. Seeing GSSAPI
is comforting, but I am sure that is not the whole story. I am running
the directory on RHL E3 with SASL2. What I am looking for are some
docs for the entire process. Turbo Fredriksson has some excellent docs
on Open LDAP, but they don''t seem to map well to the Fedora Directory.
Any suggestion would be greatly apprectiated and I would love to
document the process for others.
ldapsearch -H ldaps://FQDN/ -x -b "" -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS
When I attempt to bind to the directory and search for the same
information with the command line below.
ldapsearch -Y GSSAPI -X u:<valid uid> -b "" -s base -LLL -H
ldaps://FQDN supportedSASLMechanism
I get the following command line error
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
and the following directory error log error
[27/Nov/2005:20:21:18 -0600] - new SSL connection on 69
[27/Nov/2005:20:21:18 -0600] - activity on 69r
[27/Nov/2005:20:21:18 -0600] - read activity on 69
[27/Nov/2005:20:21:18 -0600] - conn 12 activity level = 0
[27/Nov/2005:20:21:18 -0600] - sasl(2): GSSAPI Error: Miscellaneous
failure (Bad encryption type)[27/Nov/2005:20:21:18 -0600] - listener got
signaled
The directory seems to support SASL, and SASL2 is installed, I am just
not sure if anything else is required. A blank ldapsearch reveals the
following ldapsearch
SASL/DIGEST-MD5 authentication started
The directory docs are pretty thin. Any help would be appreciated.
Barry R Ribbeck wrote:> I am trying to use SASL-GSSAPI to leverage our Kerberos V > authentication REALM with Fedora Directory server. When I search > anonymously for supported SASL mechanisms, I get the following > response. Seeing GSSAPI is comforting, but I am sure that is not the > whole story. I am running the directory on RHL E3 with SASL2. What I > am looking for are some docs for the entire process. Turbo > Fredriksson has some excellent docs on Open LDAP, but they don''t seem > to map well to the Fedora Directory. Any suggestion would be greatly > apprectiated and I would love to document the process for others.There isn''t a whole lot to document here, since the server is punting the payload to GSSAPI, much the same as OL does. The differences are in user identity mapping, but it would appear that you haven''t got that far yet. The initial handshake isn''t completing.> When I attempt to bind to the directory and search for the same > information with the command line below. > > ldapsearch -Y GSSAPI -X u:<valid uid> -b "" -s base -LLL -H > ldaps://FQDN supportedSASLMechanismDid you really mean to initiate a SASL/GSSAPI bind over SSL ? I''m not sure that will work. It might, but it may not be supported. I know for sure that encrypted gssapi will _not_ work. It uses the same layered I/O hooks that SSL does, and you can''t have both active at the same time (nor would you want to AFAIK). Try the non-ssl port and see what happens.