[Fedora-directory-users] SASL-GSSAPI and KRB5

Barry R Ribbeck Barry.R.Ribbeck at rice.edu
Mon Nov 28 03:06:13 UTC 2005 

I am trying to use SASL-GSSAPI to leverage our Kerberos V authentication 
REALM with Fedora Directory server.  When I search anonymously for 
supported SASL mechanisms, I get the following response. Seeing GSSAPI 
is comforting, but I am sure that is not the whole story. I am running 
the directory on RHL E3  with SASL2.  What I am looking for are some 
docs for the entire process.  Turbo Fredriksson has some excellent docs 
on Open LDAP, but they don't seem to map well to the Fedora Directory. 
Any suggestion would be greatly apprectiated and I would love to 
document the process for others.

ldapsearch -H ldaps://FQDN/ -x -b "" -s base -LLL supportedSASLMechanisms

dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS

When I attempt to bind to the directory and search for the same 
information with the command line below.

ldapsearch -Y GSSAPI -X u:<valid uid>  -b "" -s base -LLL  -H 
ldaps://FQDN supportedSASLMechanism

I get the following command line error
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
        additional info: SASL(-13): authentication failure: GSSAPI 
Failure: gss_accept_sec_context


and the following directory error log error
[27/Nov/2005:20:21:18 -0600] - new SSL connection on 69
[27/Nov/2005:20:21:18 -0600] - activity on 69r
[27/Nov/2005:20:21:18 -0600] - read activity on 69
[27/Nov/2005:20:21:18 -0600] - conn 12 activity level = 0
[27/Nov/2005:20:21:18 -0600] - sasl(2): GSSAPI Error: Miscellaneous 
failure (Bad encryption type)[27/Nov/2005:20:21:18 -0600] - listener got 
signaled

The directory seems to support SASL, and SASL2 is installed, I am just 
not sure if anything else is required. A blank ldapsearch reveals the 
following ldapsearch
SASL/DIGEST-MD5 authentication started
 The directory docs are pretty thin. Any help would be appreciated.

More information about the Fedora-directory-users mailing list