Bjørn Nachtwey schrieb:
dear all,
Oliver Liebel wrote:
you should be more specific when posting your questions: used versions of openldap, cyrus sasl and kerberos (at last: mit / heimdal?)
openldap: 2.3.27 cyrus sasl: 2.1.22 (binary package and sources) kerberos: k5 heimdal mod_auth_kerb: 5.1.3 krb5-server: 1.6.1-17 (on kerberos-server, runs on a different server) without any information about your config-files and posting of a log-output with a high debug-level, it is quite difficult to answer this at all.
running saslauthd with "-d", I got:
saslauthd[9800] :get_accept_lock : acquired accept lock saslauthd[9800] :rel_accept_lock : released accept lock saslauthd[9800] :do_auth : auth failure: [user=nachtwey] [service=imap] [realm=]
empty realm?
maybe this could be helpful: http://www.openldap.org/faq/data/cache/944.html http://www.semicomplete.com/articles/openldap-with-saslauthd/#id2244822
[mech=kerberos5] [reason=saslauthd internal error] saslauthd[9800] :get_accept_lock : acquired accept lock,
I just wonder, because no /etc/sasl2db was created on the SL-machine (but was on debian)
if you want to store your user/passwords in openldap, you dont need sasldb2 at all
maybe you should take a look at the debug-output of slapd first.
as long as sasl does not work, i do not mention slapd ;-) but: slapd runs fine if I neglect the authentification problem by sasl
Bjørn Nachtwey schrieb:
Dear all,
I set up a ldap server and want to use sasl/kerberos5 for authetification.
you mean: gssapi
no, i mean kerberos5
well, using debian/etch it works fine. using scientific linux 5.1 (SL5.1) it does not work, not even testsaslauthd works.
the configuration of both systems is the same,
snippets of the config-files...
cat /etc/krb5.conf @ SL-machine:
[realms] TU-BS.de = { kdc = rzkrb1.rz.tu-bs.de kdc = rzkrb2.rz.tu-bs.de admin_server = rzafs7.rz.tu-bs.de }
[domain_realm] tu-bs.de = TU-BS.de .tu-bs.de = TU-BS.de
cat /etc/krb5.conf @ Debian/Etch:
[realms] TU-BS.DE = { kdc = rzkrb1.rz.tu-bs.de admin_server = rzafs7.rz.tu-bs.de }
[domain_realm] .tu-bs.de = TU-BS.DE tu-bs.de = TU-BS.DE
cat /etc/default/saslauthd @ Debian/Etch:
START=yes MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=3 OPTIONS="-c"
cat /etc/sysconfig/saslauthd @ SL51
SOCKETDIR=/var/run/saslauthd
correct owner/rights on socketdir and socket ? (typical /var/run/saslauthd/mux ) just a guess...
MECH=kerberos5 FLAGS=
but it's the same if I do the saslauthd start with
saslauthd -a kerberos5 -n 1
on both maschines: debian works, SL does not :-(
thanks,
Bjørn
besides hostname gives on debian just the name and on SL5.1 the FQN.
i also tried to compile cyrus/sasl from sources -- just the same.
sl being a clone of RHEL, does anyone have the same problem? does anyone have any idea?
thanks & best regards,
Bjørn
Virus checked by G DATA AntiVirusKit Version: AVK 18.4023 from 05.06.2008 Virus news: www.antiviruslab.com
____________ Virus checked by G DATA AntiVirusKit Version: AVK 18.4024 from 05.06.2008 Virus news: www.antiviruslab.com