Hi,
I'm trying to get slapd to use heimdal kerberos to provide a single authentication backend for my network. I've followed the Administrator's Guide on SASL[1] and cyrus faq entry about connecting OpenLDAP with GSSAPI[2]. I'm stuck at the what I believe is a misunderstanding from my part.
I believe when I use -Y GSSAPI I should be using my braiam/admin credentials, but according to SASL facility in slapd I'm not providing any. strace confirms that it reads the /tmp/krb5cc_1000 file correctly.
I'm very confused as to how to proceed since most of the relevant results point to having not kinit'd.
I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1, libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.
debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:
Vno Type Principal Aliases 4 aes256-cts-hmac-sha1-96 host/ldap01.example.com@EXAMPLE.COM 4 des3-cbc-sha1 host/ldap01.example.com@EXAMPLE.COM 4 arcfour-hmac-md5 host/ldap01.example.com@EXAMPLE.COM 9 aes256-cts-hmac-sha1-96 ldap/ldap01.example.com@EXAMPLE.COM 9 des3-cbc-sha1 ldap/ldap01.example.com@EXAMPLE.COM 9 arcfour-hmac-md5 ldap/ldap01.example.com@EXAMPLE.COM
debian@ldap01:~$ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: braiam/admin@EXAMPLE.COM
Issued Expires Principal May 12 20:34:05 2020 May 13 20:34:05 2020 krbtgt/EXAMPLE.COM@EXAMPLE.COM May 12 20:34:11 2020 May 13 20:34:05 2020 ldap/ldap01.example.com@EXAMPLE.COM
debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b "" supportedSASLMechanisms -H $ldap_host SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
[1]: http://www.openldap.org/doc/admin24/sasl.html [2]: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html