Are you able to kinit? For testing only, please change the /etc/krb5.keytab to 644 ( please change it back to 600 when you finish testing) and then restart slapd. Did it work? Could you tail -f /var/log/syslog?
Thank you
Amir
From: listbox@hymerfania.com To: openldap-software@openldap.org Subject: LDAP config problem with GSSAPI: No such file or directory Date: Tue, 15 Jan 2008 14:52:07 -0800
Hi folks, I'm having a real hard time debugging this. I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7 box. I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I clso check permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
Any help would be greatly appreciated :)
[installer@trixter ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
[installer@trixter ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: installer@HYMESRUZICKA.ORG
Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG@HYMESRUZICKA.ORG 01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org@HYMESRUZICKA.ORG
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
[installer@trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessable. Actually I'm surprized that strace does no show any attempts to open the keytabs or anything in /etc/openldap/cacerts...
Thanks!
Listbox
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/