Dear all,
I set up a ldap server and want to use sasl/kerberos5 for authetification.
well, using debian/etch it works fine. using scientific linux 5.1 (SL5.1) it does not work, not even testsaslauthd works.
the configuration of both systems is the same, besides hostname gives on debian just the name and on SL5.1 the FQN.
i also tried to compile cyrus/sasl from sources -- just the same.
sl being a clone of RHEL, does anyone have the same problem? does anyone have any idea?
thanks & best regards,
Bjørn
you should be more specific when posting your questions: used versions of openldap, cyrus sasl and kerberos (at last: mit / heimdal?) without any information about your config-files and posting of a log-output with a high debug-level, it is quite difficult to answer this at all. maybe you should take a look at the debug-output of slapd first.
Bjørn Nachtwey schrieb:
Dear all,
I set up a ldap server and want to use sasl/kerberos5 for authetification.
you mean: gssapi
well, using debian/etch it works fine. using scientific linux 5.1 (SL5.1) it does not work, not even testsaslauthd works.
the configuration of both systems is the same,
snippets of the config-files...
besides hostname gives on debian just the name and on SL5.1 the FQN.
i also tried to compile cyrus/sasl from sources -- just the same.
sl being a clone of RHEL, does anyone have the same problem? does anyone have any idea?
thanks & best regards,
Bjørn
____________ Virus checked by G DATA AntiVirusKit Version: AVK 18.4023 from 05.06.2008 Virus news: www.antiviruslab.com
dear all,
Oliver Liebel wrote:
you should be more specific when posting your questions: used versions of openldap, cyrus sasl and kerberos (at last: mit / heimdal?)
openldap: 2.3.27 cyrus sasl: 2.1.22 (binary package and sources) kerberos: k5 heimdal mod_auth_kerb: 5.1.3 krb5-server: 1.6.1-17 (on kerberos-server, runs on a different server)
without any information about your config-files and posting of a log-output with a high debug-level, it is quite difficult to answer this at all.
running saslauthd with "-d", I got:
saslauthd[9800] :get_accept_lock : acquired accept lock saslauthd[9800] :rel_accept_lock : released accept lock saslauthd[9800] :do_auth : auth failure: [user=nachtwey] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error] saslauthd[9800] :get_accept_lock : acquired accept lock,
I just wonder, because no /etc/sasl2db was created on the SL-machine (but was on debian)
maybe you should take a look at the debug-output of slapd first.
as long as sasl does not work, i do not mention slapd ;-) but: slapd runs fine if I neglect the authentification problem by sasl
Bjørn Nachtwey schrieb:
Dear all,
I set up a ldap server and want to use sasl/kerberos5 for authetification.
you mean: gssapi
no, i mean kerberos5
well, using debian/etch it works fine. using scientific linux 5.1 (SL5.1) it does not work, not even testsaslauthd works.
the configuration of both systems is the same,
snippets of the config-files...
cat /etc/krb5.conf @ SL-machine:
[realms] TU-BS.de = { kdc = rzkrb1.rz.tu-bs.de kdc = rzkrb2.rz.tu-bs.de admin_server = rzafs7.rz.tu-bs.de }
[domain_realm] tu-bs.de = TU-BS.de .tu-bs.de = TU-BS.de
cat /etc/krb5.conf @ Debian/Etch:
[realms] TU-BS.DE = { kdc = rzkrb1.rz.tu-bs.de admin_server = rzafs7.rz.tu-bs.de }
[domain_realm] .tu-bs.de = TU-BS.DE tu-bs.de = TU-BS.DE
cat /etc/default/saslauthd @ Debian/Etch:
START=yes MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=3 OPTIONS="-c"
cat /etc/sysconfig/saslauthd @ SL51
SOCKETDIR=/var/run/saslauthd MECH=kerberos5 FLAGS=
but it's the same if I do the saslauthd start with
saslauthd -a kerberos5 -n 1
on both maschines: debian works, SL does not :-(
thanks,
Bjørn
besides hostname gives on debian just the name and on SL5.1 the FQN.
i also tried to compile cyrus/sasl from sources -- just the same.
sl being a clone of RHEL, does anyone have the same problem? does anyone have any idea?
thanks & best regards,
Bjørn
Virus checked by G DATA AntiVirusKit Version: AVK 18.4023 from 05.06.2008 Virus news: www.antiviruslab.com
Bjørn Nachtwey schrieb:
dear all,
Oliver Liebel wrote:
you should be more specific when posting your questions: used versions of openldap, cyrus sasl and kerberos (at last: mit / heimdal?)
openldap: 2.3.27 cyrus sasl: 2.1.22 (binary package and sources) kerberos: k5 heimdal mod_auth_kerb: 5.1.3 krb5-server: 1.6.1-17 (on kerberos-server, runs on a different server) without any information about your config-files and posting of a log-output with a high debug-level, it is quite difficult to answer this at all.
running saslauthd with "-d", I got:
saslauthd[9800] :get_accept_lock : acquired accept lock saslauthd[9800] :rel_accept_lock : released accept lock saslauthd[9800] :do_auth : auth failure: [user=nachtwey] [service=imap] [realm=]
empty realm?
maybe this could be helpful: http://www.openldap.org/faq/data/cache/944.html http://www.semicomplete.com/articles/openldap-with-saslauthd/#id2244822
[mech=kerberos5] [reason=saslauthd internal error] saslauthd[9800] :get_accept_lock : acquired accept lock,
I just wonder, because no /etc/sasl2db was created on the SL-machine (but was on debian)
if you want to store your user/passwords in openldap, you dont need sasldb2 at all
maybe you should take a look at the debug-output of slapd first.
as long as sasl does not work, i do not mention slapd ;-) but: slapd runs fine if I neglect the authentification problem by sasl
Bjørn Nachtwey schrieb:
Dear all,
I set up a ldap server and want to use sasl/kerberos5 for authetification.
you mean: gssapi
no, i mean kerberos5
well, using debian/etch it works fine. using scientific linux 5.1 (SL5.1) it does not work, not even testsaslauthd works.
the configuration of both systems is the same,
snippets of the config-files...
cat /etc/krb5.conf @ SL-machine:
[realms] TU-BS.de = { kdc = rzkrb1.rz.tu-bs.de kdc = rzkrb2.rz.tu-bs.de admin_server = rzafs7.rz.tu-bs.de }
[domain_realm] tu-bs.de = TU-BS.de .tu-bs.de = TU-BS.de
cat /etc/krb5.conf @ Debian/Etch:
[realms] TU-BS.DE = { kdc = rzkrb1.rz.tu-bs.de admin_server = rzafs7.rz.tu-bs.de }
[domain_realm] .tu-bs.de = TU-BS.DE tu-bs.de = TU-BS.DE
cat /etc/default/saslauthd @ Debian/Etch:
START=yes MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=3 OPTIONS="-c"
cat /etc/sysconfig/saslauthd @ SL51
SOCKETDIR=/var/run/saslauthd
correct owner/rights on socketdir and socket ? (typical /var/run/saslauthd/mux ) just a guess...
MECH=kerberos5 FLAGS=
but it's the same if I do the saslauthd start with
saslauthd -a kerberos5 -n 1
on both maschines: debian works, SL does not :-(
thanks,
Bjørn
besides hostname gives on debian just the name and on SL5.1 the FQN.
i also tried to compile cyrus/sasl from sources -- just the same.
sl being a clone of RHEL, does anyone have the same problem? does anyone have any idea?
thanks & best regards,
Bjørn
Virus checked by G DATA AntiVirusKit Version: AVK 18.4023 from 05.06.2008 Virus news: www.antiviruslab.com
____________ Virus checked by G DATA AntiVirusKit Version: AVK 18.4024 from 05.06.2008 Virus news: www.antiviruslab.com
openldap-technical@openldap.org
-
Bjørn Nachtwey -
Oliver Liebel