From owner-freebsd-questions@FreeBSD.ORG Thu Feb 3 19:47:02 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D69921065674 for ; Thu, 3 Feb 2011 19:47:02 +0000 (UTC) (envelope-from prvs=0015394c74=kalts@estcard.ee) Received: from smtp.estcard.ee (smtp.estcard.ee [194.204.11.100]) by mx1.freebsd.org (Postfix) with ESMTP id 755838FC20 for ; Thu, 3 Feb 2011 19:47:02 +0000 (UTC) Received: from fserv.internal ([192.168.10.3]) by smtp.estcard.ee with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.73) (envelope-from ) id 1Pl58p-0006jc-LK; Thu, 03 Feb 2011 21:47:01 +0200 Received: from myhakas.internal ([192.168.21.128]) by fserv.internal with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Pl58p-0000jq-Ge; Thu, 03 Feb 2011 21:46:55 +0200 Received: from kalts by myhakas.internal with local (Exim 4.69) (envelope-from ) id 1Pl58p-0006yf-F9; Thu, 03 Feb 2011 21:46:55 +0200 Date: Thu, 3 Feb 2011 21:46:55 +0200 From: Vallo Kallaste To: Jan Henrik Sylvester Message-ID: <20110203194655.GA26551@hape.internal> References: <20110131154759.GA17485@hape.internal> <4D46E6A8.8040408@janh.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D46E6A8.8040408@janh.de> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: questions-list freebsd Subject: Re: FreeBSD 8.2: state of Kerberos, GSS-API and (Cyrus) SASL? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: kalts@estpak.ee List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2011 19:47:02 -0000 On Mon, Jan 31, 2011 at 05:43:20PM +0100, Jan Henrik Sylvester wrote: > I am struggling with exactly the same problem. Unfortunately, I got > no reply on this list about it: > > http://lists.freebsd.org/pipermail/freebsd-questions/2011-January/226495.html > > If you get any further, please, tell me. I am thinking about > reposting my question to a different list: stable as that is where > the earlier discussions happened or ports as that seems more > appropriate. > Installed net/openldap24-server port defining WITH_SASL=YES and it seems that SASL/GSSAPI authentication works: [vallo@kdc2 ~]$ klist Credentials cache: FILE:/tmp/krb5cc_NoXXXX Principal: vallo@EXAMPLE.COM Issued Expires Principal Feb 3 21:20:48 Feb 4 21:02:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM Feb 3 21:25:44 Feb 4 21:02:45 ldap/kdc2.internal@EXAMPLE.COM [vallo@kdc2 ~]$ ldapsearch -Y GSSAPI -b '' -s base '(objectclass=*)' namingContexts SASL/GSSAPI authentication started SASL username: vallo@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=example,dc=com # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Slapd needs read access to /etc/krb5.keytab or separate keytab. Keytab must contain ldap service account of course. This example was done on the system the slapd runs on. Please let me know if you get it working (or not). -- Vallo