GSSAPI authentication between 1.2.10 and 1.2.11
Hello all,
We are trying to setup GSSAPI SASL authentication using Kerberos keytabs between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17). However, we are getting an unspecified GSSAPI error. Are there any known bugs / changes that could possible cause this to happen? Edward -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users |
GSSAPI authentication between 1.2.10 and 1.2.11
Edward,
What is the error you are getting? Mark On 05/30/2012 12:54 AM, Edward Z. Yang wrote: Hello all, We are trying to setup GSSAPI SASL authentication using Kerberos keytabs between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17). However, we are getting an unspecified GSSAPI error. Are there any known bugs / changes that could possible cause this to happen? Edward -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreynolds@redhat.com -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users |
GSSAPI authentication between 1.2.10 and 1.2.11
We haven't been able to get anything more specific than err=49.
Edward Excerpts from Mark Reynolds's message of Wed May 30 16:30:00 -0400 2012: > Edward, > > What is the error you are getting? > > Mark > > On 05/30/2012 12:54 AM, Edward Z. Yang wrote: > > Hello all, > > > > We are trying to setup GSSAPI SASL authentication using Kerberos keytabs > > between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17). > > However, we are getting an unspecified GSSAPI error. Are there > > any known bugs / changes that could possible cause this to happen? > > > > Edward > > -- > > 389 users mailing list > > 389-users@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users |
GSSAPI authentication between 1.2.10 and 1.2.11
Are you using ldapsearch?
Anyway, double check these settings: [1] /etc/sysconfig/dirsrv-INSTANCE make sure that KRB5_KTNAME points to the correct keytab file!! [2] Check your DS mappings in the dse.ldif (you can only edit this file, when the server is stopped) Make sure the nsSaslMapBaseDNTemplate attr points to your correct DIT name(dc=company,dc=com, etc) dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config changetype: modify replace: nsSaslMapBaseDNTemplate nsSaslMapBaseDNTemplate: o=testsasl.com dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config changetype: modify replace: nsSaslMapBaseDNTemplate nsSaslMapBaseDNTemplate: o=testsasl.com dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config changetype: modify replace: nsSaslMapBaseDNTemplate nsSaslMapBaseDNTemplate: o=testsasl.com dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config changetype: modify replace: nsSaslMapBaseDNTemplate nsSaslMapBaseDNTemplate: o=testsasl.com [3] Make sure /etc/krb5.conf is configured correctly [4] If this fails, stop slapd, edit dse.ldif and add "nsslapd-errorlog-level: 1" to the cn=config entry -> then reproduce the error, and send me the error log. Then you can unset that attribute, as it will significantly degrade performance. There are a lot of other factors, like are your keytabs correct? Is DNS correctly working? Etc. Mark On 05/30/2012 06:20 PM, Edward Z. Yang wrote: We haven't been able to get anything more specific than err=49. Edward Excerpts from Mark Reynolds's message of Wed May 30 16:30:00 -0400 2012: Edward, What is the error you are getting? Mark On 05/30/2012 12:54 AM, Edward Z. Yang wrote: Hello all, We are trying to setup GSSAPI SASL authentication using Kerberos keytabs between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17). However, we are getting an unspecified GSSAPI error. Are there any known bugs / changes that could possible cause this to happen? Edward -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc mreynolds@redhat.com -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users |
GSSAPI authentication between 1.2.10 and 1.2.11
Hello Mark,
It looks like with the systemd-ification of meant specifying KRB5_KTNAME in /etc/sysconfig/dirsrv no longer works; when I moved the environment variable to /etc/sysconfig/dirsrv-scripts it started working. This is probably a bug; I'll make sure I diagnosed this correctly and then file a report. If dirsrv could add a log message saying something to the effect of "using Kerberos keytab at ..." that would probably be great :-) Edward -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users |
| All times are GMT. The time now is 08:18 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.