GSSAPI (for OpenLDAP) on FreeBSD 8?

Jan Henrik Sylvester me at janh.de
Thu Sep 2 13:52:29 UTC 2010 

On 09/02/2010 13:50, Jeremy Chadwick wrote:
> On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote:
>> I have got problems with GSSAPI authentication to OpenLDAP:
>> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
>> error (80)
>>          additional info: SASL(-1): generic failure: GSSAPI Error:
>> No credentials were supplied, or the credentials were unavailable or
>> inaccessible. (unknown mech-code 0 for mech unknown)
>>
>> There were at least two discussions, multiple bug reports, and
>> patches about broken GSSAPI on FreeBSD 8, the longest (I found)
>> starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
>>
>> After reading through these discussions, I do not know what the
>> proper fix is -- I would like to change as little as possible
>> introducing SASL authentication to a (production) OpenLDAP server.
>>
>> I have got: An i386 kerberos server, a ldap server in a jail on
>> i386, some amd64 clients -- all running 8.1-RELEASE. Eventually
>> there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too.
>>
>> What do I need to "fix"? Just the ldap server? Is it enough to
>> change the jail or does the host needs to be patches, too? Or do I
>> need to fix the client, too? The kerberos server?
>>
>>  From the discussion, multiple fixes were possible. Patching
>> libgssapi and reinstalling everything depending on it (what?),
>> installing the heimdal-1.0 port (while FreeBSD 8 comes with
>> heimdal-1.1), installing an unofficial heimdal-1.2 port, ...
>>
>> Is that correct? Anything new after the discussion in July?
>>
>>  From the discussion, some patches should already be in 8-STABLE, but
>> I could not find the revision (after 8.1-RELEASE).
>>
>> If I upgraded the ldap jail to 8-STABLE, I guess the host needs to
>> be updated, too. Hence I would prefer to just change ports or update
>> single libraries.
>>
>> Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
>> libgssapi patch? With the heimdal-1.2 port?
>
> Can you please try the patch I proposed and see if it improves your
> situation?  Thanks.
>
> http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html

I had already tried the gss_release_buffer patch. It fixes that crash 
doing the GSSAPI operation from i386 and brings i386 in par with amd64 
-- to the error message I mentioned above.

I have also tried the change to /usr/bin/krb5-config before building 
OpenLDAP -- with no effect, either.

I have not tried the "big" libgssapi patch from kern/147454 as I was 
hoping to do a smaller change.

Cheers,
Jan Henrik

More information about the freebsd-stable mailing list