Bug 846044 - Kerberos authentication not working with OpenLDAP (not using KRB5_KTNAME?)
Kerberos authentication not working with OpenLDAP (not using KRB5_KTNAME?)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Vcelak
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-06 12:08 EDT by Braden McDaniel
Modified: 2013-03-03 20:30 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-09 04:55:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Braden McDaniel 2012-08-06 12:08:25 EDT
Description of problem:
Since upgrading to Fedora 17, I'm not able to get Kerberos authentication working with OpenLDAP:

$ ldapsearch -Y GSSAPI -H ldap://ldap.endoframe.net -D "cn=Manager,dc=endoframe,dc=net" "objectClass=posixGroup"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation
specific) error (80)
      additional info: SASL(-1): generic failure: GSSAPI Error:
      Unspecified GSS failure.  Minor code may provide more
      information ()

I suspect this may be due to OpenLDAP not seeing the keytab file; however, I have appended the following line to /etc/sysconfig/slapd:

export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"


Version-Release number of selected component (if applicable):
2.4.31-3.fc17
Comment 1 Jan Vcelak 2012-08-07 05:18:14 EDT
Only a guesss. Please, can you try without export. Just:
KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
Comment 2 Jan Vcelak 2012-08-07 10:02:51 EDT
I set it up in my testing environment and it seems to work:

$ cat /etc/sysconfig/slapd 
SLAPD_URLS="ldapi:/// ldap:///"
KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
$ ldapwhoami -Y GSSAPI -N -H ldap://ldap.example.com
SASL/GSSAPI authentication started
SASL username: jvcelak@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=jvcelak,cn=example.com,cn=gssapi,cn=auth

Please, can you confirm? If not, please, try switching selinux into permissive mode.

I consider adding KRB5_KTNAME into default /etc/sysconfig/slapd, as a comment.
Comment 3 Braden McDaniel 2012-08-07 11:35:52 EDT
(In reply to comment #2)
> I set it up in my testing environment and it seems to work:
> 
> $ cat /etc/sysconfig/slapd 
> SLAPD_URLS="ldapi:/// ldap:///"
> KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
> $ ldapwhoami -Y GSSAPI -N -H ldap://ldap.example.com
> SASL/GSSAPI authentication started
> SASL username: jvcelak@EXAMPLE.COM
> SASL SSF: 56
> SASL data security layer installed.
> dn:uid=jvcelak,cn=example.com,cn=gssapi,cn=auth
> 
> Please, can you confirm? If not, please, try switching selinux into
> permissive mode.

Yes, it works for me as well.

> I consider adding KRB5_KTNAME into default /etc/sysconfig/slapd, as a
> comment.

Certainly if I had seen such a comment without "export", I would not have migrated that bit over (from the /etc/sysconfig/ldap script).
Comment 4 Jan Vcelak 2012-08-09 04:55:58 EDT
KRB5_KTNAME is now in default /etc/sysconfig/slapd:
http://pkgs.fedoraproject.org/cgit/openldap.git/commit/?id=bfe48e2

And I have added a notice about this change to OpenLDAP upstream FAQ list:
http://www.openldap.org/faq/data/cache/630.html

Closing this as RAWHIDE. It will be included in the next build.

Note You need to log in before you can comment on or make changes to this bug.