FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 05-30-2012, 04:54 AM
"Edward Z. Yang"
 
Default GSSAPI authentication between 1.2.10 and 1.2.11

Hello all,

We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
However, we are getting an unspecified GSSAPI error. Are there
any known bugs / changes that could possible cause this to happen?

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-30-2012, 08:30 PM
Mark Reynolds
 
Default GSSAPI authentication between 1.2.10 and 1.2.11

Edward,

What is the error you are getting?

Mark

On 05/30/2012 12:54 AM, Edward Z. Yang wrote:

Hello all,

We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
However, we are getting an unspecified GSSAPI error. Are there
any known bugs / changes that could possible cause this to happen?

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreynolds@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-30-2012, 10:20 PM
"Edward Z. Yang"
 
Default GSSAPI authentication between 1.2.10 and 1.2.11

We haven't been able to get anything more specific than err=49.

Edward

Excerpts from Mark Reynolds's message of Wed May 30 16:30:00 -0400 2012:
> Edward,
>
> What is the error you are getting?
>
> Mark
>
> On 05/30/2012 12:54 AM, Edward Z. Yang wrote:
> > Hello all,
> >
> > We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
> > between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
> > However, we are getting an unspecified GSSAPI error. Are there
> > any known bugs / changes that could possible cause this to happen?
> >
> > Edward
> > --
> > 389 users mailing list
> > 389-users@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 05-30-2012, 10:42 PM
Mark Reynolds
 
Default GSSAPI authentication between 1.2.10 and 1.2.11

Are you using ldapsearch?

Anyway, double check these settings:

[1] /etc/sysconfig/dirsrv-INSTANCE

make sure that KRB5_KTNAME points to the correct keytab file!!

[2] Check your DS mappings in the dse.ldif (you can only edit this
file, when the server is stopped)


Make sure the nsSaslMapBaseDNTemplate attr points to your correct DIT
name(dc=company,dc=com, etc)


dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

[3] Make sure /etc/krb5.conf is configured correctly

[4] If this fails, stop slapd, edit dse.ldif and add
"nsslapd-errorlog-level: 1" to the cn=config entry


-> then reproduce the error, and send me the error log. Then you can
unset that attribute, as it will significantly degrade performance.


There are a lot of other factors, like are your keytabs correct? Is DNS
correctly working? Etc.


Mark

On 05/30/2012 06:20 PM, Edward Z. Yang wrote:

We haven't been able to get anything more specific than err=49.

Edward

Excerpts from Mark Reynolds's message of Wed May 30 16:30:00 -0400 2012:

Edward,

What is the error you are getting?

Mark

On 05/30/2012 12:54 AM, Edward Z. Yang wrote:

Hello all,

We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
However, we are getting an unspecified GSSAPI error. Are there
any known bugs / changes that could possible cause this to happen?

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreynolds@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-01-2012, 03:07 AM
"Edward Z. Yang"
 
Default GSSAPI authentication between 1.2.10 and 1.2.11

Hello Mark,

It looks like with the systemd-ification of meant specifying
KRB5_KTNAME in /etc/sysconfig/dirsrv no longer works; when
I moved the environment variable to /etc/sysconfig/dirsrv-scripts
it started working. This is probably a bug; I'll make sure I
diagnosed this correctly and then file a report.

If dirsrv could add a log message saying something to the effect
of "using Kerberos keytab at ..." that would probably be great :-)

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 01:48 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org