GSSAPI (for OpenLDAP) on FreeBSD 8?
Jan Henrik Sylvester
me at janh.de
Wed Sep 1 16:51:15 UTC 2010
I have got problems with GSSAPI authentication to OpenLDAP:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No
credentials were supplied, or the credentials were unavailable or
inaccessible. (unknown mech-code 0 for mech unknown)
There were at least two discussions, multiple bug reports, and patches
about broken GSSAPI on FreeBSD 8, the longest (I found) starting here:
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
After reading through these discussions, I do not know what the proper
fix is -- I would like to change as little as possible introducing SASL
authentication to a (production) OpenLDAP server.
I have got: An i386 kerberos server, a ldap server in a jail on i386,
some amd64 clients -- all running 8.1-RELEASE. Eventually there need to
be some Debian/Ubuntu clients using GSSAPI/SASL, too.
What do I need to "fix"? Just the ldap server? Is it enough to change
the jail or does the host needs to be patches, too? Or do I need to fix
the client, too? The kerberos server?
From the discussion, multiple fixes were possible. Patching libgssapi
and reinstalling everything depending on it (what?), installing the
heimdal-1.0 port (while FreeBSD 8 comes with heimdal-1.1), installing an
unofficial heimdal-1.2 port, ...
Is that correct? Anything new after the discussion in July?
From the discussion, some patches should already be in 8-STABLE, but I
could not find the revision (after 8.1-RELEASE).
If I upgraded the ldap jail to 8-STABLE, I guess the host needs to be
updated, too. Hence I would prefer to just change ports or update single
libraries.
Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
libgssapi patch? With the heimdal-1.2 port?
Thanks,
Jan Henrik
More information about the freebsd-stable
mailing list