Hi,

On Thu, May 14, 2020 at 2:27 PM Braiam braiamp@gmail.com wrote:

I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1, libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.

debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:

Can the slapd user read this keytab file?

Am Thu, 14 May 2020 13:22:28 -0400 schrieb Braiam braiamp@gmail.com:

Hi,

I'm trying to get slapd to use heimdal kerberos to provide a single authentication backend for my network. I've followed the Administrator's Guide on SASL[1] and cyrus faq entry about connecting OpenLDAP with GSSAPI[2]. I'm stuck at the what I believe is a misunderstanding from my part.

I believe when I use -Y GSSAPI I should be using my braiam/admin credentials, but according to SASL facility in slapd I'm not providing any. strace confirms that it reads the /tmp/krb5cc_1000 file correctly.

I'm very confused as to how to proceed since most of the relevant results point to having not kinit'd.

I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1, libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.

debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:

Vno Type Principal Aliases 4 aes256-cts-hmac-sha1-96 host/ldap01.example.com@EXAMPLE.COM 4 des3-cbc-sha1 host/ldap01.example.com@EXAMPLE.COM 4 arcfour-hmac-md5 host/ldap01.example.com@EXAMPLE.COM 9 aes256-cts-hmac-sha1-96 ldap/ldap01.example.com@EXAMPLE.COM 9 des3-cbc-sha1 ldap/ldap01.example.com@EXAMPLE.COM 9 arcfour-hmac-md5 ldap/ldap01.example.com@EXAMPLE.COM

debian@ldap01:~$ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: braiam/admin@EXAMPLE.COM

Issued Expires Principal May 12 20:34:05 2020 May 13 20:34:05 2020 krbtgt/EXAMPLE.COM@EXAMPLE.COM May 12 20:34:11 2020 May 13 20:34:05 2020 ldap/ldap01.example.com@EXAMPLE.COM

debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b "" supportedSASLMechanisms -H $ldap_host SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)

Long time ago that I used a Heimdal KDC. AFAIR there are some minor differnces between sasl libgssapi, MIT-KRB5 libs and tools, and heimdal gss-api and kerberos tools. Please check the sasl2 configuration path for slapd.conf. https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html While some distributions change this path to /etc/sasl2/slapd.conf, or /etc/ldap/sasl2/slapd.conf, sasl refers to /usr/lib/sasl2/slapd.conf This slapd.conf must be readable by slapd.

-Dieter