GSSAPI (for OpenLDAP) on FreeBSD 8?
Jeremy Chadwick
freebsd at jdc.parodius.com
Thu Sep 2 11:50:50 UTC 2010
On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote:
> I have got problems with GSSAPI authentication to OpenLDAP:
> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> error (80)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> No credentials were supplied, or the credentials were unavailable or
> inaccessible. (unknown mech-code 0 for mech unknown)
>
> There were at least two discussions, multiple bug reports, and
> patches about broken GSSAPI on FreeBSD 8, the longest (I found)
> starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
>
> After reading through these discussions, I do not know what the
> proper fix is -- I would like to change as little as possible
> introducing SASL authentication to a (production) OpenLDAP server.
>
> I have got: An i386 kerberos server, a ldap server in a jail on
> i386, some amd64 clients -- all running 8.1-RELEASE. Eventually
> there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too.
>
> What do I need to "fix"? Just the ldap server? Is it enough to
> change the jail or does the host needs to be patches, too? Or do I
> need to fix the client, too? The kerberos server?
>
> From the discussion, multiple fixes were possible. Patching
> libgssapi and reinstalling everything depending on it (what?),
> installing the heimdal-1.0 port (while FreeBSD 8 comes with
> heimdal-1.1), installing an unofficial heimdal-1.2 port, ...
>
> Is that correct? Anything new after the discussion in July?
>
> From the discussion, some patches should already be in 8-STABLE, but
> I could not find the revision (after 8.1-RELEASE).
>
> If I upgraded the ldap jail to 8-STABLE, I guess the host needs to
> be updated, too. Hence I would prefer to just change ports or update
> single libraries.
>
> Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
> libgssapi patch? With the heimdal-1.2 port?
Can you please try the patch I proposed and see if it improves your
situation? Thanks.
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list