Am Thu, 14 May 2020 13:22:28 -0400 schrieb Braiam braiamp@gmail.com:
Sorry for hijacking this thread.
Hi,
I'm trying to get slapd to use heimdal kerberos to provide a single authentication backend for my network. I've followed the Administrator's Guide on SASL[1] and cyrus faq entry about connecting OpenLDAP with GSSAPI[2]. I'm stuck at the what I believe is a misunderstanding from my part.
[...]
Out of curiosity and facing similar problems, I have just setup a playground mostly based on Raspian, bur additionaly OpenIndiana and OpenSUSE. The Environment: Packages: opensuse: openldap2.2-2.4.50-52.1.x86_64 cyrus-sasl-2.1.27-3.2.x86_64
raspian: slapd/stable,now 2.4.47 libsasl2-modules-gssapi-heimdal/stable 2.1.27 libsasl2-modules-gssapi-mit/stable,now 2.1.27
openindiana: slapd-2.4.48 security/gss@5.11 kernel GSSAPI V2
slapd on opensuse indiana:~$ /usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H ldap://pink.fritz.box SASL/GSSAPI authentication started SASL username: dieter@FRITZ.BOX SASL SSF: 56 SASL data security layer installed. dn:cn=dieter kluenter,ou=partner,o=avci,c=de
raspian:~ $ ldapwhoami -Ygssapi -Hldap://pink.fritz.box SASL/GSSAPI authentication started SASL username: dieter@FRITZ.BOX SASL SSF: 256 SASL data security layer installed. dn:cn=dieter kluenter,ou=partner,o=avci,c=de
slapd on openindiana pink➜ ᐅ ldapwhoami -Ygssapi -H ldap://indiana.fritz.box SASL/GSSAPI authentication started SASL username: dieter@FRITZ.BOX SASL SSF: 256 SASL data security layer installed. dn:uid=dieter@fritz.box,cn=gssapi,cn=auth
slapd on Raspian pink➜ ᐅ ldapwhoami -Ygssapi -H ldap://raspi3.fritz.box SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
indiana:~$ /usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H ldap://raspi3.fritz.box SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
KDC is MIT-KRB5
slapd configuration is identical on all hosts, krb5.keytab is individually setup for all hosts, each host has appropriate keys.
If applicable an individual ldap.keytab path is configured in sasl2/slapd.conf this ldap.keytabs are readable by slapd and owned by slapd user and group.
ldap/raspi3.fritz.box@FRITZ.BOX ldap/pink.fritz.box@FRITZ.BOX ldap/indiana.fritz.box@FRITZ.BOX
-Dieter