[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP / SASL / Heimdal



Am Montag, 7. Juni 2004 12:42 schrieb Andreas Haupt:
> Hello,
>
> I'm trying to setup OpenLDAP with SASL2 and Heimdal. When trying to
> authenticate I get the following error in the log files:
>
> 2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
> dice.hmi.de@HMI.DE
> 2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
> dice.hmi.de@HMI.DE
> 2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
> request
> 2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
> request
> 2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
> 2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>
> I don't have a clue what this means and how I can avoid the problem...
> Heimdal server is version 0.6 (SuSE 9.0).

It seems this is related to the latest security update done by SuSE. After 
downgrading I got another (not so crypted) error:

blh@dice:~> ldapsearch -x -H ldap://dice.hmi.de/  -b "" -s base -LLL 
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

blh@dice:~> ldapwhoami -H ldap://dice.hmi.de/ -D "cn=dice,dc=hmi,dc=de" -Y 
GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI 
Failure: gss_accept_sec_context
blh@dice:~> klist
Credentials cache: FILE:/tmp/krb5cc_10296
        Principal: blh@HMI.DE

  Issued           Expires          Principal            
Jun  7 13:07:21  Jun  8 14:07:21  krbtgt/HMI.DE@HMI.DE   
Jun  7 13:32:38  Jun  8 14:07:21  ldap/dice.hmi.de@HMI.DE
blh@dice:~> 

So I got a ticket. The rest is hopefully not complicated...

Greetings
Andreas

-- 
| Andreas Haupt                    | E-Mail:  andreas.haupt@hmi.de
| Hahn-Meitner-Institut (DN)       | WWW:
| Glienicker Straße 100            | Phone:   +49/30/8062-2597
| 14109 Berlin                     | Fax:     +49/30/8062-2096