Allan cr4z3d@gmail.com writes:
Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for authentication/authorization. I'm a bit confused on how to get it all working but I've gotten far enough that I can run getent passwd test.user and it pulls down the information from ldap (ran as root and non-root user). I can also successfully get a ticket with kinit from various users. Where I run into problems, is actually getting services to use GSSAPI. I am currently using nss_ldap and pam_ldap to authenticate during ssh login, if there's a better alternative please let me know.
Here's the setup I've got: Services -> FQDN -> IP ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5 ssh -> cake.crazy.lan -> 192.168.1.6
[...]
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP= 192.168.1.6:56955 (IP=0.0.0.0:389) Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT oid= 1.3.6.1.4.1.1466.20037 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text= Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established tls_ssf= 256 ssf=256 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163 Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7 text= SASL(-4): no mechanism available: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed ==============================================================
This is where I get a bit confused, it tells me that there's no mechanism for GSSAPI.. So I try changing to no SASL options in the configuration file:
What is the output of ldapsearch -x -H ldap://localhost -b "" -s base supportedSaslMechanisms
-Dieter